tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Reland "Fake 29.0 sepolicy prebuilts"

Browse source 
I took current AOSP policy as base, then removed sepolicy so that the
set of type and attributes was a subset of types and attributes in Q
sepolicy, with exception of those that have not yet been cleand up in
current AOSP:

mediaswcodec_server
netd_socket
mediaextractor_update_service
thermalserviced
thermalserviced_exec

Bug: 133196056
Test: n/a
Change-Id: I863429d61d3fad0272c1d3f1e429cd997513a74a
Merged-In: I3e091652fa8d1757b1f71f7559186d5b32f000d5
This commit is contained in:
Tri Vo 2019-06-01 17:03:29 -07:00
parent 7b54926292
commit 336d0fed4e
390 changed files with 28681 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

746
prebuilts/api/29.0/private/access_vectors Normal file
View file

@ -0,0 +1,746 @@
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
map
unlink
link
rename
execute
quotaon
mounton
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
map
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define a common for capability access vectors.
#
common cap
{
# The capabilities are defined in include/linux/capability.h
# Capabilities >= 32 are defined in the cap2 common.
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
common cap2
{
mac_override # unused by SELinux
mac_admin # unused by SELinux
syslog
wake_alarm
block_suspend
audit_read
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
open
audit_access
execmod
}
class file
inherits file
{
execute_no_trans
entrypoint
execmod
open
audit_access
}
class lnk_file
inherits file
{
open
audit_access
execmod
}
class chr_file
inherits file
{
execute_no_trans
entrypoint
execmod
open
audit_access
}
class blk_file
inherits file
{
open
audit_access
execmod
}
class sock_file
inherits file
{
open
audit_access
execmod
}
class fifo_file
inherits file
{
open
audit_access
execmod
}
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
recvfrom
sendto
}
class netif
{
ingress
egress
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
setkeycreate
setsockcreate
getrlimit
}
class process2
{
nnp_transition
nosuid_transition
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
read_policy
validate_trans
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
module_load
}
#
# Define the access vector interpretation for controlling capabilities
#
class capability
inherits cap
class capability2
inherits cap2
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
sendto
recvfrom
setcontext
polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket
class appletalk_socket
inherits socket
class packet
{
send
recv
relabelto
flow_in # deprecated
flow_out # deprecated
forward_in
forward_out
}
class key
{
view
read
write
search
link
setattr
create
}
class dccp_socket
inherits socket
{
node_bind
name_connect
}
class memprotect
{
mmap_zero
}
# network peer labels
class peer
{
recv
}
class kernel_service
{
use_as_override
create_files_as
}
class tun_socket
inherits socket
{
attach_queue
}
class binder
{
impersonate
call
set_context_mgr
transfer
}
class netlink_iscsi_socket
inherits socket
class netlink_fib_lookup_socket
inherits socket
class netlink_connector_socket
inherits socket
class netlink_netfilter_socket
inherits socket
class netlink_generic_socket
inherits socket
class netlink_scsitransport_socket
inherits socket
class netlink_rdma_socket
inherits socket
class netlink_crypto_socket
inherits socket
class infiniband_pkey
{
access
}
class infiniband_endport
{
manage_subnet
}
#
# Define the access vector interpretation for controlling capabilities
# in user namespaces
#
class cap_userns
inherits cap
class cap2_userns
inherits cap2
#
# Define the access vector interpretation for the new socket classes
# enabled by the extended_socket_class policy capability.
#
#
# The next two classes were previously mapped to rawip_socket and therefore
# have the same definition as rawip_socket (until further permissions
# are defined).
#
class sctp_socket
inherits socket
{
node_bind
name_connect
association
}
class icmp_socket
inherits socket
{
node_bind
}
#
# The remaining network socket classes were previously
# mapped to the socket class and therefore have the
# same definition as socket.
#
class ax25_socket
inherits socket
class ipx_socket
inherits socket
class netrom_socket
inherits socket
class atmpvc_socket
inherits socket
class x25_socket
inherits socket
class rose_socket
inherits socket
class decnet_socket
inherits socket
class atmsvc_socket
inherits socket
class rds_socket
inherits socket
class irda_socket
inherits socket
class pppox_socket
inherits socket
class llc_socket
inherits socket
class can_socket
inherits socket
class tipc_socket
inherits socket
class bluetooth_socket
inherits socket
class iucv_socket
inherits socket
class rxrpc_socket
inherits socket
class isdn_socket
inherits socket
class phonet_socket
inherits socket
class ieee802154_socket
inherits socket
class caif_socket
inherits socket
class alg_socket
inherits socket
class nfc_socket
inherits socket
class vsock_socket
inherits socket
class kcm_socket
inherits socket
class qipcrtr_socket
inherits socket
class smc_socket
inherits socket
class bpf
{
map_create
map_read
map_write
prog_load
prog_run
}
class property_service
{
set
}
class service_manager
{
add
find
list
}
class hwservice_manager
{
add
find
list
}
class keystore_key
{
get_state
get
insert
delete
exist
list
reset
password
lock
unlock
is_empty
sign
verify
grant
duplicate
clear_uid
add_auth
user_changed
gen_unique_id
}
class drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
}
class xdp_socket
inherits socket

190
prebuilts/api/29.0/private/adbd.te Normal file
View file

@ -0,0 +1,190 @@
### ADB daemon
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
init_daemon_domain(adbd)
domain_auto_trans(adbd, shell_exec, shell)
userdebug_or_eng(`
allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
# When 'adb shell' is executed in recovery mode, adbd explicitly
# switches into shell domain using setcon() because the shell executable
# is not labeled as shell but as rootfs.
recovery_only(`
domain_trans(adbd, rootfs, shell)
allow adbd shell:process dyntransition;
# Allows reboot fastboot to enter fastboot directly
unix_socket_connect(adbd, recovery, recovery)
')
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
# Set UID and GID to shell. Set supplementary groups.
allow adbd self:global_capability_class_set { setuid setgid };
# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;
# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
# Create and use network sockets.
net_domain(adbd)
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
allow adbd functionfs:file rw_file_perms;
allowxperm adbd functionfs:file ioctl {
FUNCTIONFS_ENDPOINT_DESC
FUNCTIONFS_CLEAR_HALT
};
# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;
# adb push/pull /data/local/tmp.
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
# adb pull /data/local/traces/*
allow adbd trace_data_file:dir r_dir_perms;
allow adbd trace_data_file:file r_file_perms;
# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir r_dir_perms;
allow adbd profman_dump_data_file:file r_file_perms;
# adb push/pull sdcard.
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
allow adbd sdcard_type:dir create_dir_perms;
allow adbd sdcard_type:file create_file_perms;
# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
set_prop(adbd, ffs_prop)
set_prop(adbd, exported_ffs_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
# Read device's serial number from system properties
get_prop(adbd, serialno_prop)
# Read whether or not Test Harness Mode is enabled
get_prop(adbd, test_harness_prop)
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
r_dir_file(adbd, sysfs_dt_firmware_android)
')
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
# Needed for various screenshots
hal_client_domain(adbd, hal_graphics_allocator)
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file r_file_perms;
userdebug_or_eng(`
# Write debugging information to /data/adb
# when persist.adb.trace_mask is set
# https://code.google.com/p/android/issues/detail?id=72895
allow adbd adb_data_file:dir rw_dir_perms;
allow adbd adb_data_file:file create_file_perms;
')
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
# Allow pulling the SELinux policy for CTS purposes
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
allow adbd service_contexts_file:file r_file_perms;
allow adbd file_contexts_file:file r_file_perms;
allow adbd seapp_contexts_file:file r_file_perms;
allow adbd property_contexts_file:file r_file_perms;
allow adbd sepolicy_file:file r_file_perms;
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow adbd storage_file:dir r_dir_perms;
allow adbd storage_file:lnk_file r_file_perms;
allow adbd mnt_user_file:dir r_dir_perms;
allow adbd mnt_user_file:lnk_file r_file_perms;
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow adbd media_rw_data_file:dir create_dir_perms;
allow adbd media_rw_data_file:file create_file_perms;
r_dir_file(adbd, apk_data_file)
allow adbd rootfs:dir r_dir_perms;
# Allow to pull Perfetto traces.
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write };
allow adbd shell:fd use;
###
### Neverallow rules
###
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
# transitions to the shell domain (except when it crashes). In particular, we
# never want to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -crash_dump -shell }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;

20
prebuilts/api/29.0/private/apex_test_prepostinstall.te Normal file
View file

@ -0,0 +1,20 @@
# APEX pre- & post-install test.
#
# Allow to run pre- and post-install hooks for APEX test modules
# in debuggable builds.
type apex_test_prepostinstall, domain, coredomain;
type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
# /dev/zero
allow apex_test_prepostinstall apexd:fd use;
# Logwrapper.
create_pty(apex_test_prepostinstall)
# Logwrapper executing sh.
allow apex_test_prepostinstall shell_exec:file rx_file_perms;
# Logwrapper exec.
allow apex_test_prepostinstall system_file:file execute_no_trans;
# Ls.
allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
')

116
prebuilts/api/29.0/private/apexd.te Normal file
View file

@ -0,0 +1,116 @@
typeattribute apexd coredomain;
init_daemon_domain(apexd)
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
allow apexd metadata_file:dir search;
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
allow apexd loop_device:blk_file rw_file_perms;
allowxperm apexd loop_device:blk_file ioctl {
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
# allow apexd to access /dev/block/dm-* (device-mapper entries)
allow apexd dm_device:chr_file rw_file_perms;
allow apexd dm_device:blk_file rw_file_perms;
# sys_admin is required to access the device-mapper and mount
allow apexd self:global_capability_class_set sys_admin;
# allow apexd to create a mount point in /apex
allow apexd apex_mnt_dir:dir create_dir_perms;
# allow apexd to mount in /apex
allow apexd apex_mnt_dir:filesystem { mount unmount };
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
allow apexd staging_data_file:file unlink;
# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
# allow apexd to read files from /vendor/apex
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
allow apexd sysfs_dm:file rw_file_perms;
# for loopX
allow apexd sysfs_loop:dir r_dir_perms;
allow apexd sysfs_loop:file rw_file_perms;
# Spawning a libbinder thread results in a dac_override deny,
# /dev/cpuset/tasks is owned by system.
#
# See b/35323867#comment3
dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
# Allow apexd to reboot device. Required for rollbacks of apexes that are
# not covered by rollback manager.
set_prop(apexd, powerctl_prop)
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
allow apexd apexd_exec:file execute_no_trans;
# Unshare and make / private so that hooks cannot influence the
# running system.
allow apexd rootfs:dir mounton;
# Allow to execute shell for pre- and postinstall scripts. A transition
# rule is required, thus restricted to execute and not execute_no_trans.
allow apexd shell_exec:file { r_file_perms execute };
# apexd is using bootstrap bionic
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
# Allow transition to ART APEX preinstall domain.
domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
# Allow transition to ART APEX postinstall domain.
domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;

17
prebuilts/api/29.0/private/app.te Normal file
View file

@ -0,0 +1,17 @@
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
# Transition to a non-app domain.
# Exception for the shell and su domains, can transition to runas, etc.
# Exception for crash_dump to allow for app crash reporting.
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
# to allow renderscript to create privileged executable files.
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain -crash_dump -rs }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };

293
prebuilts/api/29.0/private/app_neverallows.te Normal file
View file

@ -0,0 +1,293 @@
###
### neverallow rules for untrusted app domains
###
define(`all_untrusted_apps',`{
ephemeral_app
isolated_app
mediaprovider
untrusted_app
untrusted_app_25
untrusted_app_27
untrusted_app_all
}')
# Receive or send uevent messages.
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow all_untrusted_apps domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;
# Do not allow untrusted apps to use VendorBinder
neverallow all_untrusted_apps vndbinder_device:chr_file *;
neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
neverallow all_untrusted_apps app_exec_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
# Block calling execve() on files in an apps home directory.
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
} dex2oat_exec:file no_x_file_perms;
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and an untrusted app is allowed fork permission to itself.
neverallow all_untrusted_apps mlstrustedsubject:process fork;
# Do not allow untrusted apps to hard link to any files.
# In particular, if an untrusted app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure untrusted apps never have this
# capability.
neverallow all_untrusted_apps file_type:file link;
# Do not allow untrusted apps to access network MAC address file
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
# Do not allow any write access to files in /sys
neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
# Apps may never access the default sysfs label.
neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow all_untrusted_apps *:{
socket netlink_socket packet_socket key_socket appletalk_socket
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-sdcard_type
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
-app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
')
}:dir_file_class_set { create unlink };
# No untrusted component should be touching /dev/fuse
neverallow all_untrusted_apps fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
# The tun_device ioctls below are not allowed, to prove equivalence
# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
SIOCGIFHWADDR
SIOCSIFHWADDR
TUNATTACHFILTER
TUNDETACHFILTER
TUNGETFEATURES
TUNGETFILTER
TUNGETSNDBUF
TUNGETVNETHDRSZ
TUNSETDEBUG
TUNSETGROUP
TUNSETIFF
TUNSETLINK
TUNSETNOCSUM
TUNSETOFFLOAD
TUNSETOWNER
TUNSETPERSIST
TUNSETQUEUE
TUNSETSNDBUF
TUNSETTXFILTER
TUNSETVNETHDRSZ
};
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
neverallow all_untrusted_apps anr_data_file:dir ~search;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow all_untrusted_apps {
proc
proc_asound
proc_filesystems
proc_kmsg
proc_loadavg
proc_mounts
proc_pagetypeinfo
proc_slabinfo
proc_stat
proc_swaps
proc_uptime
proc_version
proc_vmallocinfo
proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
# Do not permit untrusted apps to perform actions on HwBinder service_manager
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
# Do not permit access from apps which host arbitrary code to HwBinder services,
# except those considered sufficiently safe for access from such apps.
# The two main reasons for this are:
# 1. HwBinder servers do not perform client authentication because HIDL
# currently does not expose caller UID information and, even if it did, many
# HwBinder services either operate at a level below that of apps (e.g., HALs)
# or must not rely on app identity for authorization. Thus, to be safe, the
# default assumption is that every HwBinder service treats all its clients as
# equally authorized to perform operations offered by the service.
# 2. HAL servers (a subset of HwBinder services) contain code with higher
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
#
# Safe services include:
# - same process services: because they by definition run in the process
# of the client and thus have the same access as the client domain in which
# the process runs
# - coredomain_hwservice: are considered safe because they do not pose risks
# associated with reason #2 above.
# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
# designed for use by any domain.
# - hal_graphics_allocator_hwservice: because these operations are also offered
# by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps {
hwservice_manager_type
-fwk_bufferhub_hwservice
-hal_cas_hwservice
-hal_codec2_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
-hal_graphics_mapper_hwservice
-hal_neuralnetworks_hwservice
-hal_omx_hwservice
-hal_renderscript_hwservice
-hidl_allocator_hwservice
-hidl_manager_hwservice
-hidl_memory_hwservice
-hidl_token_hwservice
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
# Restrict *Binder access from apps to HAL domains. We can only do this on full
# Treble devices where *Binder communications between apps and HALs are tightly
# restricted.
full_treble_only(`
neverallow all_untrusted_apps {
halserverdomain
-coredomain
-hal_configstore_server
-hal_graphics_allocator_server
-hal_cas_server
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-untrusted_app_visible_halserver_violators
}:binder { call transfer };
')
# Untrusted apps are not allowed to find mediaextractor update service.
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
# They must use ASharedMemory NDK API instead.
neverallow {
all_untrusted_apps
-ephemeral_app
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;

158
prebuilts/api/29.0/private/app_zygote.te Normal file
View file

@ -0,0 +1,158 @@
typeattribute app_zygote coredomain;
######
###### Policy below is different from regular zygote-spawned apps
######
# The app_zygote needs to be able to transition domains.
typeattribute app_zygote mlstrustedsubject;
# Allow access to temporary files, which is normally permitted through
# a domain macro.
tmpfs_domain(app_zygote);
# Set the UID/GID of the process.
# This will be further limited to a range of isolated UIDs with seccomp.
allow app_zygote self:global_capability_class_set { setgid setuid };
# Drop capabilities from bounding set.
allow app_zygote self:global_capability_class_set setpcap;
# Switch SELinux context to isolated app domain.
allow app_zygote self:process setcurrent;
allow app_zygote isolated_app:process dyntransition;
# For JIT
allow app_zygote self:process execmem;
# Allow app_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
allow app_zygote debugfs_trace_marker:file getattr;
# get system_server process group
allow app_zygote system_server:process getpgid;
# Interaction between the app_zygote and its children.
allow app_zygote isolated_app:process setpgid;
# TODO (b/63631799) fix this access
dontaudit app_zygote mnt_expand_file:dir getattr;
# Get seapp_contexts
allow app_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(app_zygote)
# Check SELinux permissions.
selinux_check_access(app_zygote)
######
###### Policy below is shared with regular zygote-spawned apps
######
# Child of zygote.
allow app_zygote zygote:fd use;
allow app_zygote zygote:process sigchld;
# For ART (read /data/dalvik-cache).
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
# Allow reading/executing installed binaries to enable preloading
# application data
allow app_zygote apk_data_file:dir r_dir_perms;
allow app_zygote apk_data_file:file { r_file_perms execute };
# Allow app_zygote access to /vendor/overlay
r_dir_file(app_zygote, vendor_overlay_file)
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
#####
##### Neverallow
#####
# Only permit transition to isolated_app.
neverallow app_zygote { domain -isolated_app }:process dyntransition;
# Only setcon() transitions, no exec() based transitions, except for crash_dump.
neverallow app_zygote { domain -crash_dump }:process transition;
# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.
neverallow app_zygote *:file execute_no_trans;
# The only way to enter this domain is for the zygote to fork a new
# app_zygote child.
neverallow { domain -zygote } app_zygote:process dyntransition;
# Disallow write access to properties.
neverallow app_zygote property_socket:sock_file write;
neverallow app_zygote property_type:property_service set;
# Should not have any access to non-app data files.
neverallow app_zygote {
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
}:file { rwx_file_perms };
neverallow app_zygote {
service_manager_type
-activity_service
-ashmem_device_service
-webviewupdate_service
}:service_manager find;
# Isolated apps should not be able to access the driver directly.
neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
# Do not allow app_zygote access to /cache.
neverallow app_zygote cache_file:dir ~{ r_dir_perms };
neverallow app_zygote cache_file:file ~{ read getattr };
# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
# unix_stream_socket, and netlink_selinux_socket.
neverallow app_zygote domain:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
appletalk_socket netlink_route_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
# Only allow app_zygote to talk to the logd socket, and su/heapprofd on eng/userdebug
# This is because cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
# Think twice before changing.
neverallow app_zygote {
domain
-app_zygote
-logd
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
}:unix_dgram_socket *;
neverallow app_zygote {
domain
-app_zygote
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
}:unix_stream_socket *;
# Never allow ptrace
neverallow app_zygote *:process ptrace;
# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
neverallow app_zygote {
bluetooth_a2dp_offload_prop
bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;

28
prebuilts/api/29.0/private/art_apex_boot_integrity.te Normal file
View file

@ -0,0 +1,28 @@
# This command set checks the integrity of boot classpath ART
# artifacts in /data, potentially removing them.
type art_apex_boot_integrity, domain, coredomain;
type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# art_apex_boot_integrity to occur.
init_daemon_domain(art_apex_boot_integrity)
# Read dalvik cache directories, remove entries.
allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name };
# Read and possibly delete dalvik cache files.
allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
allow art_apex_boot_integrity shell_exec:file rx_file_perms;
# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
# permissions.
allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
# Fsverity in the same domain.
allow art_apex_boot_integrity system_file:file execute_no_trans;
# Fsverity work.
allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};

31
prebuilts/api/29.0/private/art_apex_postinstall.te Normal file
View file

@ -0,0 +1,31 @@
# ART APEX postinstall.
#
type art_apex_postinstall, domain, coredomain;
type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
# /system/bin/sh (see b/126787589).
allow art_apex_postinstall apexd:fd use;
# Read temp dirs and files. Move directories.
allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
# We're deleting the old /data/dalvik-cache/* and move the new ones
# over.
allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
# Required for relabel.
allow art_apex_postinstall file_contexts_file:file r_file_perms;
allow art_apex_postinstall self:global_capability_class_set sys_admin;
# Script helpers.
allow art_apex_postinstall shell_exec:file rx_file_perms;
allow art_apex_postinstall toolbox_exec:file rx_file_perms;
# Fsverity in the same domain.
allow art_apex_postinstall system_file:file execute_no_trans;
# Fsverity work.
allowxperm art_apex_postinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};

33
prebuilts/api/29.0/private/art_apex_preinstall.te Normal file
View file

@ -0,0 +1,33 @@
# ART APEX preinstall.
#
type art_apex_preinstall, domain, coredomain;
type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
# /system/bin/sh (see b/126787589).
allow art_apex_preinstall apexd:fd use;
# Create temp dirs and files under /data/ota.
allow art_apex_preinstall ota_data_file:dir create_dir_perms;
allow art_apex_preinstall ota_data_file:file create_file_perms;
# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
# mount namespace.
allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
allow art_apex_preinstall self:capability sys_admin;
# Script helpers.
allow art_apex_preinstall shell_exec:file rx_file_perms;
allow art_apex_preinstall toolbox_exec:file rx_file_perms;
# Execute subscripts in the same domain.
allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
# Run dex2oat.
domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
# Fsverity in the same domain.
allow art_apex_preinstall system_file:file execute_no_trans;
# Fsverity work.
allowxperm art_apex_preinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};

8
prebuilts/api/29.0/private/asan_extract.te Normal file
View file

@ -0,0 +1,8 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
# Technically not a daemon but we do want the transition from init domain to
# asan_extract to occur.
with_asan(`
typeattribute asan_extract coredomain;
init_daemon_domain(asan_extract)
')

9
prebuilts/api/29.0/private/ashmemd.te Normal file
View file

@ -0,0 +1,9 @@
typeattribute ashmemd coredomain;
type ashmemd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(ashmemd)
binder_use(ashmemd)
add_service(ashmemd, ashmem_device_service)
allow ashmemd ashmem_device:chr_file rw_file_perms;

78
prebuilts/api/29.0/private/atrace.te Normal file
View file

@ -0,0 +1,78 @@
# Domain for atrace process.
# It is spawned either by traced_probes or by init for the boottrace service.
type atrace, domain, coredomain;
type atrace_exec, exec_type, file_type, system_file_type;
# boottrace services uses /data/misc/boottrace/categories
allow atrace boottrace_data_file:dir search;
allow atrace boottrace_data_file:file r_file_perms;
# Allow atrace to access tracefs.
allow atrace debugfs_tracing:dir r_dir_perms;
allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
# Allow atrace to write data when a pipe is used for stdout/stderr
# This is used by Perfetto to capture the output on error in atrace.
allow atrace traced_probes:fd use;
allow atrace traced_probes:fifo_file write;
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
# Allow discovery of binder services.
allow atrace {
service_manager_type
-apex_service
-incident_service
-iorapd_service
-netd_service
-dnsresolver_service
-stats_service
-dumpstate_service
-installd_service
-vold_service
-lpdump_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
# Allow notifying the processes hosting specific binder services that
# trace-related system properties have changed.
binder_use(atrace)
allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
allow atrace system_server:binder call;
allow atrace cameraserver:binder call;
# Similarly, on debug builds, allow specific HALs to be notified that
# trace-related system properties have changed.
userdebug_or_eng(`
# List HAL interfaces.
allow atrace hwservicemanager:hwservice_manager list;
# Notify the camera HAL.
hal_client_domain(atrace, hal_camera)
')
# Remove logspam from notification attempts to non-whitelisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
# atrace can call atrace HAL
hal_client_domain(atrace, hal_atrace)
get_prop(atrace, hwservicemanager_prop)
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
# a further option to run atrace as an init daemon for boot tracing.
init_daemon_domain(atrace)
allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
')

98
prebuilts/api/29.0/private/audioserver.te Normal file
View file

@ -0,0 +1,98 @@
# audioserver - audio services daemon
typeattribute audioserver coredomain;
type audioserver_exec, exec_type, file_type, system_file_type;
init_daemon_domain(audioserver)
tmpfs_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
binder_call(audioserver, appdomain)
binder_service(audioserver)
hal_client_domain(audioserver, hal_allocator)
# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
r_dir_file(audioserver, system_file)
hal_client_domain(audioserver, hal_audio)
userdebug_or_eng(`
# used for TEE sink - pcm capture for debug.
allow audioserver media_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:file create_file_perms;
# ptrace to processes in the same domain for memory leak detection
allow audioserver self:process ptrace;
')
add_service(audioserver, audioserver_service)
allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver external_vibrator_service:service_manager find;
allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
set_prop(audioserver, bluetooth_audio_hal_prop)
set_prop(audioserver, bluetooth_prop)
set_prop(audioserver, exported_bluetooth_prop)
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
# allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_device:chr_file { read write };
not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
# For A2DP bridge which is loaded directly into audioserver
unix_socket_connect(audioserver, bluetooth, bluetooth)
# Allow shell commands from ADB and shell for CTS testing/dumping
allow audioserver adbd:fd use;
allow audioserver adbd:unix_stream_socket { read write };
allow audioserver shell:fifo_file { read write };
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
allow audioserver su:fd use;
allow audioserver su:fifo_file { read write };
allow audioserver su:unix_stream_socket { read write };
')
# Allow write access to log tag property
set_prop(audioserver, log_tag_prop);
###
### neverallow rules
###
# audioserver should never execute any executable without a
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
# The goal of the mediaserver split is to place media processing code into
# restrictive sandboxes with limited responsibilities and thus limited
# permissions. Example: Audioserver is only responsible for controlling audio
# hardware and processing audio content. Cameraserver does the same for camera
# hardware/content. Etc.
#
# Media processing code is inherently risky and thus should have limited
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
# Allow using wake locks
wakelock_use(audioserver)

18
prebuilts/api/29.0/private/auditctl.te Normal file
View file

@ -0,0 +1,18 @@
#
# /system/bin/auditctl executed for logd
#
# Performs maintenance of the kernel auditing system, including
# setting rate limits on SELinux denials.
#
type auditctl, domain, coredomain;
type auditctl_exec, file_type, system_file_type, exec_type;
# Uncomment the line below to put this domain into permissive
# mode. This helps speed SELinux policy development.
# userdebug_or_eng(`permissive auditctl;')
init_daemon_domain(auditctl)
allow auditctl self:global_capability_class_set audit_control;
allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };

1
prebuilts/api/29.0/private/binder_in_vendor_violators.te Normal file
View file

@ -0,0 +1 @@
allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;

22
prebuilts/api/29.0/private/binderservicedomain.te Normal file
View file

@ -0,0 +1,22 @@
# Rules common to all binder service domains
# Allow dumpstate and incidentd to collect information from binder services
allow binderservicedomain { dumpstate incidentd }:fd use;
allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
allow binderservicedomain shell_data_file:file { getattr write };
# Allow dumpsys to work from adb shell or the serial console
allow binderservicedomain devpts:chr_file rw_file_perms;
allow binderservicedomain console_device:chr_file rw_file_perms;
# Receive and write to a pipe received over Binder from an app.
allow binderservicedomain appdomain:fd use;
allow binderservicedomain appdomain:fifo_file write;
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
use_keystore(binderservicedomain)

6
prebuilts/api/29.0/private/blank_screen.te Normal file
View file

@ -0,0 +1,6 @@
type blank_screen, domain, coredomain;
type blank_screen_exec, exec_type, file_type, system_file_type;
init_daemon_domain(blank_screen)
hal_client_domain(blank_screen, hal_light)

22
prebuilts/api/29.0/private/blkid.te Normal file
View file

@ -0,0 +1,22 @@
# blkid called from vold
typeattribute blkid coredomain;
type blkid_exec, system_file_type, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
allow blkid block_device:dir search;
allow blkid userdata_block_device:blk_file r_file_perms;
allow blkid dm_device:blk_file r_file_perms;
# Allow stdin/out back to vold
allow blkid vold:fd use;
allow blkid vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid blkid_exec:file rx_file_perms;
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
neverallow * blkid:process dyntransition;
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

37
prebuilts/api/29.0/private/blkid_untrusted.te Normal file
View file

@ -0,0 +1,37 @@
# blkid for untrusted block devices
typeattribute blkid_untrusted coredomain;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;
# Allow stdin/out back to vold
allow blkid_untrusted vold:fd use;
allow blkid_untrusted vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid_untrusted blkid_exec:file rx_file_perms;
###
### neverallow rules
###
# Untrusted blkid should never be run on block devices holding sensitive data
neverallow blkid_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file no_rw_file_perms;
# Only allow entry from vold via blkid binary
neverallow { domain -vold } blkid_untrusted:process transition;
neverallow * blkid_untrusted:process dyntransition;
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

83
prebuilts/api/29.0/private/bluetooth.te Normal file
View file

@ -0,0 +1,83 @@
# bluetooth app
typeattribute bluetooth coredomain;
app_domain(bluetooth)
net_domain(bluetooth)
# Socket creation under /data/misc/bluedroid.
type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
# Allow access to net_admin ioctls
allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
wakelock_use(bluetooth);
# Data file accesses.
allow bluetooth bluetooth_data_file:dir create_dir_perms;
allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
allow bluetooth bluetooth_logs_data_file:file create_file_perms;
# Socket creation under /data/misc/bluedroid.
allow bluetooth bluetooth_socket:sock_file create_file_perms;
allow bluetooth self:global_capability_class_set net_admin;
allow bluetooth self:global_capability2_class_set wake_alarm;
# tethering
allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
allow bluetooth tun_device:chr_file rw_file_perms;
allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
allow bluetooth efs_file:dir search;
# allow Bluetooth to access uhid device for HID profile
allow bluetooth uhid_device:chr_file rw_file_perms;
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
# Allow write access to bluetooth specific properties
set_prop(bluetooth, bluetooth_a2dp_offload_prop)
set_prop(bluetooth, bluetooth_audio_hal_prop)
set_prop(bluetooth, bluetooth_prop)
set_prop(bluetooth, exported_bluetooth_prop)
set_prop(bluetooth, pan_result_prop)
allow bluetooth audioserver_service:service_manager find;
allow bluetooth bluetooth_service:service_manager find;
allow bluetooth drmserver_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
allow bluetooth self:global_capability_class_set sys_nice;
hal_client_domain(bluetooth, hal_bluetooth)
hal_client_domain(bluetooth, hal_telephony)
# Bluetooth A2DP offload requires binding with audio HAL
hal_client_domain(bluetooth, hal_audio)
read_runtime_log_tags(bluetooth)
###
### Neverallow rules
###
### These are things that the bluetooth app should NEVER be able to do
###
# Superuser capabilities.
# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };

2
prebuilts/api/29.0/private/bluetoothdomain.te Normal file
View file

@ -0,0 +1,2 @@
# Allow clients to use a socket provided by the bluetooth app.
allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };

6
prebuilts/api/29.0/private/bootanim.te Normal file
View file

@ -0,0 +1,6 @@
typeattribute bootanim coredomain;
init_daemon_domain(bootanim)
# b/68864350
dontaudit bootanim unlabeled:dir search;

3
prebuilts/api/29.0/private/bootstat.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute bootstat coredomain;
init_daemon_domain(bootstat)

30
prebuilts/api/29.0/private/bpfloader.te Normal file
View file

@ -0,0 +1,30 @@
# bpf program loader
type bpfloader, domain;
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader coredomain;
# These permission is required for pin bpf program for netd.
allow bpfloader fs_bpf:dir create_dir_perms;
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };
# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
# for retrieving a pinned map when bpfloader do a run time restart.
allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
allow bpfloader self:global_capability_class_set sys_admin;
###
### Neverallow rules
###
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
set_prop(bpfloader, bpf_progs_loaded_prop)

3
prebuilts/api/29.0/private/bufferhubd.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute bufferhubd coredomain;
init_daemon_domain(bufferhubd)

31
prebuilts/api/29.0/private/bug_map Normal file
View file

@ -0,0 +1,31 @@
dnsmasq netd fifo_file 77868789
dnsmasq netd unix_stream_socket 77868789
init app_data_file file 77873135
init cache_file blk_file 77873135
init logpersist file 77873135
init nativetest_data_file dir 77873135
init pstorefs dir 77873135
init shell_data_file dir 77873135
init shell_data_file file 77873135
init shell_data_file lnk_file 77873135
init shell_data_file sock_file 77873135
init system_data_file chr_file 77873135
isolated_app privapp_data_file dir 119596573
isolated_app app_data_file dir 120394782
mediaextractor app_data_file file 77923736
mediaextractor radio_data_file file 77923736
mediaprovider cache_file blk_file 77925342
mediaprovider mnt_media_rw_file dir 77925342
mediaprovider shell_data_file dir 77925342
netd priv_app unix_stream_socket 77870037
netd untrusted_app unix_stream_socket 77870037
netd untrusted_app_25 unix_stream_socket 77870037
netd untrusted_app_27 unix_stream_socket 77870037
platform_app nfc_data_file dir 74331887
system_server crash_dump process 73128755
system_server sdcardfs file 77856826
system_server storage_stub_file dir 112609936
system_server zygote process 77856826
usbd usbd capability 72472544
vold system_data_file file 124108085
zygote untrusted_app_25 process 77925912

6
prebuilts/api/29.0/private/cameraserver.te Normal file
View file

@ -0,0 +1,6 @@
typeattribute cameraserver coredomain;
typeattribute cameraserver camera_service_server;
init_daemon_domain(cameraserver)
tmpfs_domain(cameraserver)

1
prebuilts/api/29.0/private/charger.te Normal file
View file

@ -0,0 +1 @@
typeattribute charger coredomain;

36
prebuilts/api/29.0/private/clatd.te Normal file
View file

@ -0,0 +1,36 @@
# 464xlat daemon
type clatd, domain, coredomain;
type clatd_exec, system_file_type, exec_type, file_type;
net_domain(clatd)
r_dir_file(clatd, proc_net_type)
userdebug_or_eng(`
auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
')
# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
# TODO: Check whether some or all of these sockets should be close-on-exec.
allow clatd netd:netlink_kobject_uevent_socket { read write };
allow clatd netd:netlink_nflog_socket { read write };
allow clatd netd:netlink_route_socket { read write };
allow clatd netd:udp_socket { read write };
allow clatd netd:unix_stream_socket { read write };
allow clatd netd:unix_dgram_socket { read write };
allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
# so we permit any requests we see from clatd asking for this capability.
# See https://android-review.googlesource.com/127940 and
# https://b.corp.google.com/issues/21736319
allow clatd self:global_capability_class_set ipc_lock;
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
allow clatd tun_device:chr_file rw_file_perms;

783
prebuilts/api/29.0/private/compat/26.0/26.0.cil Normal file
View file

@ -0,0 +1,783 @@
;; attributes removed from current policy
(typeattribute hal_wifi_keystore)
(typeattribute hal_wifi_keystore_client)
(typeattribute hal_wifi_keystore_server)
;; types removed from current policy
(type untrusted_v2_app)
(type asan_reboot_prop)
(type commontime_management_service)
(type log_device)
(type mediacasserver_service)
(type mediacodec)
(type mediacodec_exec)
(type qtaguid_proc)
(type reboot_data_file)
(type tracing_shell_writable)
(type tracing_shell_writable_debug)
(type vold_socket)
(type webview_zygote_socket)
(type rild)
(typeattributeset accessibility_service_26_0 (accessibility_service))
(typeattributeset account_service_26_0 (account_service))
(typeattributeset activity_service_26_0 (activity_service))
(typeattributeset adbd_26_0 (adbd))
(typeattributeset adb_data_file_26_0 (adb_data_file))
(typeattributeset adbd_socket_26_0 (adbd_socket))
(typeattributeset adb_keys_file_26_0 (adb_keys_file))
(typeattributeset alarm_device_26_0 (alarm_device))
(typeattributeset alarm_service_26_0 (alarm_service))
(typeattributeset anr_data_file_26_0 (anr_data_file))
(typeattributeset apk_data_file_26_0 (apk_data_file))
(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
(typeattributeset app_fuse_file_26_0 (app_fuse_file))
(typeattributeset app_fusefs_26_0 (app_fusefs))
(typeattributeset appops_service_26_0 (appops_service))
(typeattributeset appwidget_service_26_0 (appwidget_service))
(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
(typeattributeset asec_apk_file_26_0 (asec_apk_file))
(typeattributeset asec_image_file_26_0 (asec_image_file))
(typeattributeset asec_public_file_26_0 (asec_public_file))
(typeattributeset ashmem_device_26_0 (ashmem_device))
(typeattributeset assetatlas_service_26_0 (assetatlas_service))
(typeattributeset audio_data_file_26_0 (audio_data_file))
(typeattributeset audio_device_26_0 (audio_device))
(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
(typeattributeset audio_prop_26_0 (audio_prop))
(typeattributeset audio_seq_device_26_0 (audio_seq_device))
(typeattributeset audioserver_26_0 (audioserver))
(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
(typeattributeset audioserver_service_26_0 (audioserver_service))
(typeattributeset audio_service_26_0 (audio_service))
(typeattributeset audio_timer_device_26_0 (audio_timer_device))
(typeattributeset autofill_service_26_0 (autofill_service))
(typeattributeset backup_data_file_26_0 (backup_data_file))
(typeattributeset backup_service_26_0 (backup_service))
(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
(typeattributeset battery_service_26_0 (battery_service))
(typeattributeset batterystats_service_26_0 (batterystats_service))
(typeattributeset binder_device_26_0 (binder_device))
(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
(typeattributeset blkid_26_0 (blkid))
(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
(typeattributeset block_device_26_0 (block_device))
(typeattributeset bluetooth_26_0 (bluetooth))
(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
(typeattributeset bluetooth_service_26_0 (bluetooth_service))
(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
(typeattributeset bootanim_26_0 (bootanim))
(typeattributeset bootanim_exec_26_0 (bootanim_exec))
(typeattributeset boot_block_device_26_0 (boot_block_device))
(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
(typeattributeset bootstat_26_0 (bootstat))
(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
(typeattributeset bootstat_exec_26_0 (bootstat_exec))
(typeattributeset boottime_prop_26_0 (boottime_prop))
(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
(typeattributeset bufferhubd_26_0 (bufferhubd))
(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
(typeattributeset cache_backup_file_26_0 (cache_backup_file))
(typeattributeset cache_block_device_26_0 (cache_block_device))
(typeattributeset cache_file_26_0 (cache_file))
(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
(typeattributeset camera_data_file_26_0 (camera_data_file))
(typeattributeset camera_device_26_0 (camera_device))
(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
(typeattributeset cameraserver_26_0 (cameraserver))
(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
(typeattributeset cameraserver_service_26_0 (cameraserver_service))
(typeattributeset cgroup_26_0 (cgroup))
(typeattributeset charger_26_0 (charger))
(typeattributeset clatd_26_0 (clatd))
(typeattributeset clatd_exec_26_0 (clatd_exec))
(typeattributeset clipboard_service_26_0 (clipboard_service))
(typeattributeset commontime_management_service_26_0 (commontime_management_service))
(typeattributeset companion_device_service_26_0 (companion_device_service))
(typeattributeset configfs_26_0 (configfs))
(typeattributeset config_prop_26_0 (config_prop))
(typeattributeset connectivity_service_26_0 (connectivity_service))
(typeattributeset connmetrics_service_26_0 (connmetrics_service))
(typeattributeset console_device_26_0 (console_device))
(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
(typeattributeset content_service_26_0 (content_service))
(typeattributeset contexthub_service_26_0 (contexthub_service))
(typeattributeset coredump_file_26_0 (coredump_file))
(typeattributeset country_detector_service_26_0 (country_detector_service))
(typeattributeset coverage_service_26_0 (coverage_service))
(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
(typeattributeset cppreopts_26_0 (cppreopts))
(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
(typeattributeset cpuctl_device_26_0 (cpuctl_device))
(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
(typeattributeset crash_dump_26_0 (crash_dump))
(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
(typeattributeset dalvik_prop_26_0 (dalvik_prop))
(typeattributeset dbinfo_service_26_0 (dbinfo_service))
(typeattributeset debugfs_26_0
( debugfs
debugfs_wakeup_sources
))
(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
(typeattributeset debug_prop_26_0 (debug_prop))
(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
(typeattributeset default_android_service_26_0 (default_android_service))
(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
(typeattributeset default_prop_26_0
( default_prop pm_prop))
(typeattributeset device_26_0 (device))
(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
(typeattributeset deviceidle_service_26_0 (deviceidle_service))
(typeattributeset device_logging_prop_26_0 (device_logging_prop))
(typeattributeset device_policy_service_26_0 (device_policy_service))
(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
(typeattributeset devpts_26_0 (devpts))
(typeattributeset dex2oat_26_0 (dex2oat))
(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
(typeattributeset dhcp_26_0 (dhcp))
(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
(typeattributeset dhcp_exec_26_0 (dhcp_exec))
(typeattributeset dhcp_prop_26_0 (dhcp_prop))
(typeattributeset diskstats_service_26_0 (diskstats_service))
(typeattributeset display_service_26_0 (display_service))
(typeattributeset dm_device_26_0 (dm_device))
(typeattributeset dnsmasq_26_0 (dnsmasq))
(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
(typeattributeset DockObserver_service_26_0 (DockObserver_service))
(typeattributeset dreams_service_26_0 (dreams_service))
(typeattributeset drm_data_file_26_0 (drm_data_file))
(typeattributeset drmserver_26_0 (drmserver))
(typeattributeset drmserver_exec_26_0 (drmserver_exec))
(typeattributeset drmserver_service_26_0 (drmserver_service))
(typeattributeset drmserver_socket_26_0 (drmserver_socket))
(typeattributeset dropbox_service_26_0 (dropbox_service))
(typeattributeset dumpstate_26_0 (dumpstate))
(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
(typeattributeset dumpstate_service_26_0 (dumpstate_service))
(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
(typeattributeset efs_file_26_0 (efs_file))
(typeattributeset ephemeral_app_26_0 (ephemeral_app))
(typeattributeset ethernet_service_26_0 (ethernet_service))
(typeattributeset ffs_prop_26_0 (ffs_prop))
(typeattributeset file_contexts_file_26_0 (file_contexts_file))
(typeattributeset fingerprintd_26_0 (fingerprintd))
(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
(typeattributeset fingerprint_service_26_0 (fingerprint_service))
(typeattributeset firstboot_prop_26_0 (firstboot_prop))
(typeattributeset font_service_26_0 (font_service))
(typeattributeset frp_block_device_26_0 (frp_block_device))
(typeattributeset fsck_26_0 (fsck))
(typeattributeset fsck_exec_26_0 (fsck_exec))
(typeattributeset fscklogs_26_0 (fscklogs))
(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
(typeattributeset full_device_26_0 (full_device))
(typeattributeset functionfs_26_0 (functionfs))
(typeattributeset fuse_26_0 (fuse))
(typeattributeset fuse_device_26_0 (fuse_device))
(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
(typeattributeset gatekeeperd_26_0 (gatekeeperd))
(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
(typeattributeset gps_control_26_0 (gps_control))
(typeattributeset gpu_device_26_0 (gpu_device))
(typeattributeset gpu_service_26_0 (gpu_service))
(typeattributeset graphics_device_26_0 (graphics_device))
(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
(typeattributeset hardware_service_26_0 (hardware_service))
(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
(typeattributeset healthd_26_0 (healthd))
(typeattributeset healthd_exec_26_0 (healthd_exec))
(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
(typeattributeset hwbinder_device_26_0 (hwbinder_device))
(typeattributeset hw_random_device_26_0 (hw_random_device))
(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
(typeattributeset hwservicemanager_26_0 (hwservicemanager))
(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
(typeattributeset i2c_device_26_0 (i2c_device))
(typeattributeset icon_file_26_0 (icon_file))
(typeattributeset idmap_26_0 (idmap))
(typeattributeset idmap_exec_26_0 (idmap_exec))
(typeattributeset iio_device_26_0 (iio_device))
(typeattributeset imms_service_26_0 (imms_service))
(typeattributeset incident_26_0 (incident))
(typeattributeset incidentd_26_0 (incidentd))
(typeattributeset incident_data_file_26_0 (incident_data_file))
(typeattributeset incident_service_26_0 (incident_service))
(typeattributeset init_26_0 (init))
(typeattributeset init_exec_26_0 (init_exec watchdogd_exec))
(typeattributeset inotify_26_0 (inotify))
(typeattributeset input_device_26_0 (input_device))
(typeattributeset inputflinger_26_0 (inputflinger))
(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
(typeattributeset inputflinger_service_26_0 (inputflinger_service))
(typeattributeset input_method_service_26_0 (input_method_service))
(typeattributeset input_service_26_0 (input_service))
(typeattributeset installd_26_0 (installd))
(typeattributeset install_data_file_26_0 (install_data_file))
(typeattributeset installd_exec_26_0 (installd_exec))
(typeattributeset installd_service_26_0 (installd_service))
(typeattributeset install_recovery_26_0 (install_recovery))
(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
(typeattributeset ion_device_26_0 (ion_device))
(typeattributeset IProxyService_service_26_0 (IProxyService_service))
(typeattributeset ipsec_service_26_0 (ipsec_service))
(typeattributeset isolated_app_26_0 (isolated_app))
(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
(typeattributeset kernel_26_0 (kernel))
(typeattributeset keychain_data_file_26_0 (keychain_data_file))
(typeattributeset keychord_device_26_0 (keychord_device))
(typeattributeset keystore_26_0 (keystore))
(typeattributeset keystore_data_file_26_0 (keystore_data_file))
(typeattributeset keystore_exec_26_0 (keystore_exec))
(typeattributeset keystore_service_26_0 (keystore_service))
(typeattributeset kmem_device_26_0 (kmem_device))
(typeattributeset kmsg_device_26_0 (kmsg_device))
(typeattributeset labeledfs_26_0 (labeledfs))
(typeattributeset launcherapps_service_26_0 (launcherapps_service))
(typeattributeset lmkd_26_0 (lmkd))
(typeattributeset lmkd_exec_26_0 (lmkd_exec))
(typeattributeset lmkd_socket_26_0 (lmkd_socket))
(typeattributeset location_service_26_0 (location_service))
(typeattributeset lock_settings_service_26_0 (lock_settings_service))
(typeattributeset logcat_exec_26_0 (logcat_exec))
(typeattributeset logd_26_0 (logd))
(typeattributeset log_device_26_0 (log_device))
(typeattributeset logd_exec_26_0 (logd_exec))
(typeattributeset logd_prop_26_0 (logd_prop))
(typeattributeset logdr_socket_26_0 (logdr_socket))
(typeattributeset logd_socket_26_0 (logd_socket))
(typeattributeset logdw_socket_26_0 (logdw_socket))
(typeattributeset logpersist_26_0 (logpersist))
(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
(typeattributeset log_prop_26_0 (log_prop))
(typeattributeset log_tag_prop_26_0 (log_tag_prop))
(typeattributeset loop_control_device_26_0 (loop_control_device))
(typeattributeset loop_device_26_0 (loop_device))
(typeattributeset mac_perms_file_26_0 (mac_perms_file))
(typeattributeset mdnsd_26_0 (mdnsd))
(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
(typeattributeset mdns_socket_26_0 (mdns_socket))
(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
(typeattributeset mediacodec_26_0 (mediacodec))
(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
(typeattributeset mediacodec_service_26_0 (mediacodec_service))
(typeattributeset media_data_file_26_0 (media_data_file))
(typeattributeset mediadrmserver_26_0 (mediadrmserver))
(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
(typeattributeset mediaextractor_26_0 (mediaextractor))
(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
(typeattributeset mediametrics_26_0 (mediametrics))
(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
(typeattributeset mediametrics_service_26_0 (mediametrics_service))
(typeattributeset media_projection_service_26_0 (media_projection_service))
(typeattributeset media_router_service_26_0 (media_router_service))
(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
(typeattributeset mediaserver_26_0 (mediaserver))
(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
(typeattributeset mediaserver_service_26_0 (mediaserver_service))
(typeattributeset media_session_service_26_0 (media_session_service))
(typeattributeset meminfo_service_26_0 (meminfo_service))
(typeattributeset metadata_block_device_26_0 (metadata_block_device))
(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
(typeattributeset midi_service_26_0 (midi_service))
(typeattributeset misc_block_device_26_0 (misc_block_device))
(typeattributeset misc_logd_file_26_0 (misc_logd_file))
(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
(typeattributeset mmc_prop_26_0 (mmc_prop))
(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
(typeattributeset mnt_user_file_26_0 (mnt_user_file))
(typeattributeset modprobe_26_0 (modprobe))
(typeattributeset mount_service_26_0 (mount_service))
(typeattributeset mqueue_26_0 (mqueue))
(typeattributeset mtd_device_26_0 (mtd_device))
(typeattributeset mtp_26_0 (mtp))
(typeattributeset mtp_device_26_0 (mtp_device))
(typeattributeset mtpd_socket_26_0 (mtpd_socket))
(typeattributeset mtp_exec_26_0 (mtp_exec))
(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
(typeattributeset netd_26_0 (netd))
(typeattributeset net_data_file_26_0 (net_data_file))
(typeattributeset netd_exec_26_0 (netd_exec))
(typeattributeset netd_listener_service_26_0 (netd_listener_service))
(typeattributeset net_dns_prop_26_0 (net_dns_prop))
(typeattributeset netd_service_26_0 (netd_service))
(typeattributeset netd_socket_26_0 (netd_socket))
(typeattributeset netif_26_0 (netif))
(typeattributeset netpolicy_service_26_0 (netpolicy_service))
(typeattributeset net_radio_prop_26_0 (net_radio_prop))
(typeattributeset netstats_service_26_0 (netstats_service))
(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
(typeattributeset network_management_service_26_0 (network_management_service))
(typeattributeset network_score_service_26_0 (network_score_service))
(typeattributeset network_time_update_service_26_0 (network_time_update_service))
(typeattributeset nfc_26_0 (nfc))
(typeattributeset nfc_data_file_26_0 (nfc_data_file))
(typeattributeset nfc_device_26_0 (nfc_device))
(typeattributeset nfc_prop_26_0 (nfc_prop))
(typeattributeset nfc_service_26_0 (nfc_service))
(typeattributeset node_26_0 (node))
(typeattributeset notification_service_26_0 (notification_service))
(typeattributeset null_device_26_0 (null_device))
(typeattributeset oemfs_26_0 (oemfs))
(typeattributeset oem_lock_service_26_0 (oem_lock_service))
(typeattributeset ota_data_file_26_0 (ota_data_file))
(typeattributeset otadexopt_service_26_0 (otadexopt_service))
(typeattributeset ota_package_file_26_0 (ota_package_file))
(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
(typeattributeset overlay_prop_26_0 (overlay_prop))
(typeattributeset overlay_service_26_0 (overlay_service))
(typeattributeset owntty_device_26_0 (owntty_device))
(typeattributeset package_service_26_0 (package_service))
(typeattributeset pan_result_prop_26_0 (pan_result_prop))
(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
(typeattributeset performanced_26_0 (performanced))
(typeattributeset performanced_exec_26_0 (performanced_exec))
(typeattributeset perfprofd_26_0 (perfprofd))
(typeattributeset perfprofd_data_file_26_0 (perfprofd_data_file))
(typeattributeset perfprofd_exec_26_0 (perfprofd_exec))
(typeattributeset permission_service_26_0 (permission_service))
(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
(typeattributeset pinner_service_26_0 (pinner_service))
(typeattributeset pipefs_26_0 (pipefs))
(typeattributeset platform_app_26_0 (platform_app))
(typeattributeset pmsg_device_26_0 (pmsg_device))
(typeattributeset port_26_0 (port))
(typeattributeset port_device_26_0 (port_device))
(typeattributeset postinstall_26_0 (postinstall))
(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
(typeattributeset postinstall_file_26_0 (postinstall_file))
(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
(typeattributeset powerctl_prop_26_0 (powerctl_prop))
(typeattributeset power_service_26_0 (power_service))
(typeattributeset ppp_26_0 (ppp))
(typeattributeset ppp_device_26_0 (ppp_device))
(typeattributeset ppp_exec_26_0 (ppp_exec))
(typeattributeset preloads_data_file_26_0 (preloads_data_file))
(typeattributeset preloads_media_file_26_0 (preloads_media_file))
(typeattributeset preopt2cachename_26_0 (preopt2cachename))
(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
(typeattributeset print_service_26_0 (print_service))
(typeattributeset priv_app_26_0 (mediaprovider priv_app))
(typeattributeset proc_26_0
( proc
proc_abi
proc_asound
proc_buddyinfo
proc_cmdline
proc_dirty
proc_diskstats
proc_extra_free_kbytes
proc_filesystems
proc_hostname
proc_hung_task
proc_kmsg
proc_loadavg
proc_max_map_count
proc_min_free_order_shift
proc_mounts
proc_page_cluster
proc_pagetypeinfo
proc_panic
proc_pid_max
proc_pipe_conf
proc_random
proc_sched
proc_slabinfo
proc_swaps
proc_uid_time_in_state
proc_uid_concurrent_active_time
proc_uid_concurrent_policy_time
proc_uid_cpupower
proc_uptime
proc_version
proc_vmallocinfo
proc_vmstat))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
(typeattributeset processinfo_service_26_0 (processinfo_service))
(typeattributeset proc_interrupts_26_0 (proc_interrupts))
(typeattributeset proc_iomem_26_0 (proc_iomem))
(typeattributeset proc_meminfo_26_0 (proc_meminfo))
(typeattributeset proc_misc_26_0 (proc_misc))
(typeattributeset proc_modules_26_0 (proc_modules))
(typeattributeset proc_net_26_0
( proc_net
proc_net_tcp_udp
proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
(typeattributeset proc_perf_26_0 (proc_perf))
(typeattributeset proc_security_26_0 (proc_security))
(typeattributeset proc_stat_26_0 (proc_stat))
(typeattributeset procstats_service_26_0 (procstats_service))
(typeattributeset proc_sysrq_26_0 (proc_sysrq))
(typeattributeset proc_timer_26_0 (proc_timer))
(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
(typeattributeset profman_26_0 (profman))
(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
(typeattributeset profman_exec_26_0 (profman_exec))
(typeattributeset properties_device_26_0 (properties_device))
(typeattributeset properties_serial_26_0 (properties_serial))
(typeattributeset property_contexts_file_26_0 (property_contexts_file))
(typeattributeset property_data_file_26_0 (property_data_file))
(typeattributeset property_socket_26_0 (property_socket))
(typeattributeset pstorefs_26_0 (pstorefs))
(typeattributeset ptmx_device_26_0 (ptmx_device))
(typeattributeset qtaguid_device_26_0 (qtaguid_device))
(typeattributeset qtaguid_proc_26_0
( qtaguid_proc
proc_qtaguid_ctrl))
(typeattributeset racoon_26_0 (racoon))
(typeattributeset racoon_exec_26_0 (racoon_exec))
(typeattributeset racoon_socket_26_0 (racoon_socket))
(typeattributeset radio_26_0 (radio))
(typeattributeset radio_data_file_26_0 (radio_data_file))
(typeattributeset radio_device_26_0 (radio_device))
(typeattributeset radio_prop_26_0 (radio_prop))
(typeattributeset radio_service_26_0 (radio_service))
(typeattributeset ram_device_26_0 (ram_device))
(typeattributeset random_device_26_0 (random_device))
(typeattributeset reboot_data_file_26_0 (reboot_data_file))
(typeattributeset recovery_26_0 (recovery))
(typeattributeset recovery_block_device_26_0 (recovery_block_device))
(typeattributeset recovery_data_file_26_0 (recovery_data_file))
(typeattributeset recovery_persist_26_0 (recovery_persist))
(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
(typeattributeset recovery_refresh_26_0 (recovery_refresh))
(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
(typeattributeset recovery_service_26_0 (recovery_service))
(typeattributeset registry_service_26_0 (registry_service))
(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
(typeattributeset restorecon_prop_26_0 (restorecon_prop))
(typeattributeset restrictions_service_26_0 (restrictions_service))
(typeattributeset rild_26_0 (rild))
(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
(typeattributeset rild_socket_26_0 (rild_socket))
(typeattributeset ringtone_file_26_0 (ringtone_file))
(typeattributeset root_block_device_26_0 (root_block_device))
(typeattributeset rootfs_26_0 (rootfs))
(typeattributeset rpmsg_device_26_0 (rpmsg_device))
(typeattributeset rtc_device_26_0 (rtc_device))
(typeattributeset rttmanager_service_26_0 (rttmanager_service))
(typeattributeset runas_26_0 (runas))
(typeattributeset runas_exec_26_0 (runas_exec))
(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
(typeattributeset safemode_prop_26_0 (safemode_prop))
(typeattributeset same_process_hal_file_26_0
( same_process_hal_file
vendor_public_lib_file))
(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
(typeattributeset sdcardd_26_0 (sdcardd))
(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
(typeattributeset sdcardfs_26_0 (sdcardfs))
(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
(typeattributeset search_service_26_0 (search_service))
(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
(typeattributeset selinuxfs_26_0 (selinuxfs))
(typeattributeset sensors_device_26_0 (sensors_device))
(typeattributeset sensorservice_service_26_0 (sensorservice_service))
(typeattributeset sepolicy_file_26_0 (sepolicy_file))
(typeattributeset serial_device_26_0 (serial_device))
(typeattributeset serialno_prop_26_0 (serialno_prop))
(typeattributeset serial_service_26_0 (serial_service))
(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
(typeattributeset servicemanager_26_0 (servicemanager))
(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
(typeattributeset settings_service_26_0 (settings_service))
(typeattributeset sgdisk_26_0 (sgdisk))
(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
(typeattributeset shared_relro_26_0 (shared_relro))
(typeattributeset shared_relro_file_26_0 (shared_relro_file))
(typeattributeset shell_26_0 (shell))
(typeattributeset shell_data_file_26_0 (shell_data_file))
(typeattributeset shell_exec_26_0 (shell_exec))
(typeattributeset shell_prop_26_0 (shell_prop))
(typeattributeset shm_26_0 (shm))
(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
(typeattributeset shortcut_service_26_0 (shortcut_service))
(typeattributeset slideshow_26_0 (slideshow))
(typeattributeset socket_device_26_0 (socket_device))
(typeattributeset sockfs_26_0 (sockfs))
(typeattributeset statusbar_service_26_0 (statusbar_service))
(typeattributeset storaged_service_26_0 (storaged_service))
(typeattributeset storage_file_26_0 (storage_file))
(typeattributeset storagestats_service_26_0 (storagestats_service))
(typeattributeset storage_stub_file_26_0 (storage_stub_file))
(typeattributeset su_26_0 (su))
(typeattributeset su_exec_26_0 (su_exec))
(typeattributeset surfaceflinger_26_0 (surfaceflinger))
(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
(typeattributeset swap_block_device_26_0 (swap_block_device))
(typeattributeset sysfs_26_0
( sysfs
sysfs_android_usb
sysfs_dm
sysfs_dt_firmware_android
sysfs_ipv4
sysfs_kernel_notes
sysfs_loop
sysfs_net
sysfs_power
sysfs_rtc
sysfs_switch
sysfs_wakeup_reasons))
(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
(typeattributeset sysfs_leds_26_0 (sysfs_leds))
(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
(typeattributeset sysfs_uio_26_0 (sysfs_uio))
(typeattributeset sysfs_usb_26_0 (sysfs_usb))
(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
(typeattributeset sysfs_zram_26_0 (sysfs_zram))
(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
(typeattributeset system_app_26_0 (system_app))
(typeattributeset system_app_data_file_26_0 (system_app_data_file))
(typeattributeset system_app_service_26_0 (system_app_service))
(typeattributeset system_block_device_26_0 (system_block_device))
(typeattributeset system_data_file_26_0
( system_data_file
dropbox_data_file
vendor_data_file))
(typeattributeset system_file_26_0
( system_file
system_lib_file
system_linker_config_file
system_linker_exec
system_seccomp_policy_file
system_security_cacerts_file
system_zoneinfo_file
))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
(typeattributeset system_prop_26_0 (system_prop))
(typeattributeset system_radio_prop_26_0 (system_radio_prop))
(typeattributeset system_server_26_0 (system_server))
(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
(typeattributeset task_service_26_0 (task_service))
(typeattributeset tee_26_0 (tee))
(typeattributeset tee_data_file_26_0 (tee_data_file))
(typeattributeset tee_device_26_0 (tee_device))
(typeattributeset telecom_service_26_0 (telecom_service))
(typeattributeset textclassification_service_26_0 (textclassification_service))
(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
(typeattributeset textservices_service_26_0 (textservices_service))
(typeattributeset tmpfs_26_0 (tmpfs))
(typeattributeset tombstoned_26_0 (tombstoned))
(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
(typeattributeset toolbox_26_0 (toolbox))
(typeattributeset toolbox_exec_26_0 (toolbox_exec))
(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
(typeattributeset trust_service_26_0 (trust_service))
(typeattributeset tty_device_26_0 (tty_device))
(typeattributeset tun_device_26_0 (tun_device))
(typeattributeset tv_input_service_26_0 (tv_input_service))
(typeattributeset tzdatacheck_26_0 (tzdatacheck))
(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
(typeattributeset ueventd_26_0 (ueventd))
(typeattributeset uhid_device_26_0 (uhid_device))
(typeattributeset uimode_service_26_0 (uimode_service))
(typeattributeset uio_device_26_0 (uio_device))
(typeattributeset uncrypt_26_0 (uncrypt))
(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
(typeattributeset unlabeled_26_0 (unlabeled))
(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
(typeattributeset untrusted_app_26_0
( untrusted_app
untrusted_app_27))
(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
(typeattributeset update_engine_26_0 (update_engine))
(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
(typeattributeset update_engine_exec_26_0 (update_engine_exec))
(typeattributeset update_engine_service_26_0 (update_engine_service))
(typeattributeset updatelock_service_26_0 (updatelock_service))
(typeattributeset update_verifier_26_0 (update_verifier))
(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
(typeattributeset usagestats_service_26_0 (usagestats_service))
(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
(typeattributeset usb_device_26_0 (usb_device))
(typeattributeset usbfs_26_0 (usbfs))
(typeattributeset usb_service_26_0 (usb_service))
(typeattributeset userdata_block_device_26_0 (userdata_block_device))
(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
(typeattributeset user_service_26_0 (user_service))
(typeattributeset vcs_device_26_0 (vcs_device))
(typeattributeset vdc_26_0 (vdc))
(typeattributeset vdc_exec_26_0 (vdc_exec))
(typeattributeset vendor_app_file_26_0 (vendor_app_file))
(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
(typeattributeset vendor_file_26_0 (vendor_file))
(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
(typeattributeset vfat_26_0 (vfat))
(typeattributeset vibrator_service_26_0 (vibrator_service))
(typeattributeset video_device_26_0 (video_device))
(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
(typeattributeset vndbinder_device_26_0 (vndbinder_device))
(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
(typeattributeset vndservicemanager_26_0 (vndservicemanager))
(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
(typeattributeset vold_26_0 (vold))
(typeattributeset vold_data_file_26_0 (vold_data_file))
(typeattributeset vold_device_26_0 (vold_device))
(typeattributeset vold_exec_26_0 (vold_exec))
(typeattributeset vold_prop_26_0 (vold_prop))
(typeattributeset vold_socket_26_0 (vold_socket))
(typeattributeset vpn_data_file_26_0 (vpn_data_file))
(typeattributeset vr_hwc_26_0 (vr_hwc))
(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
(typeattributeset vr_manager_service_26_0 (vr_manager_service))
(typeattributeset wallpaper_file_26_0 (wallpaper_file))
(typeattributeset wallpaper_service_26_0 (wallpaper_service))
(typeattributeset watchdogd_26_0 (watchdogd))
(typeattributeset watchdog_device_26_0 (watchdog_device))
(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
(typeattributeset webview_zygote_26_0 (webview_zygote))
(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
(typeattributeset wifiaware_service_26_0 (wifiaware_service))
(typeattributeset wificond_26_0 (wificond))
(typeattributeset wificond_exec_26_0 (wificond_exec))
(typeattributeset wificond_service_26_0 (wificond_service))
(typeattributeset wifi_data_file_26_0 (wifi_data_file))
(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
(typeattributeset wifip2p_service_26_0 (wifip2p_service))
(typeattributeset wifi_prop_26_0 (wifi_prop))
(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
(typeattributeset wifi_service_26_0 (wifi_service))
(typeattributeset window_service_26_0 (window_service))
(typeattributeset wpa_socket_26_0 (wpa_socket))
(typeattributeset zero_device_26_0 (zero_device))
(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
(typeattributeset zygote_26_0 (zygote))
(typeattributeset zygote_exec_26_0 (zygote_exec))
(typeattributeset zygote_socket_26_0 (zygote_socket))

4
prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil Normal file
View file

@ -0,0 +1,4 @@
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))

224
prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil Normal file
View file

@ -0,0 +1,224 @@
;; new_objects - a collection of types that have been introduced that have no
;; analogue in older policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
activity_task_service
adb_service
adbd_exec
app_binding_service
apex_data_file
apex_metadata_file
apex_mnt_dir
apex_service
apexd
apexd_exec
apexd_prop
apexd_tmpfs
app_zygote
atrace
binder_calls_stats_service
biometric_service
bootloader_boot_reason_prop
blank_screen
blank_screen_exec
blank_screen_tmpfs
bluetooth_a2dp_offload_prop
bpfloader
bpfloader_exec
broadcastradio_service
cgroup_bpf
charger_exec
color_display_service
content_capture_service
crossprofileapps_service
ctl_interface_restart_prop
ctl_interface_start_prop
ctl_interface_stop_prop
ctl_sigstop_prop
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
dnsresolver_service
e2fs
e2fs_exec
exfat
exported_audio_prop
exported_bluetooth_prop
exported_config_prop
exported_dalvik_prop
exported_default_prop
exported_dumpstate_prop
exported_ffs_prop
exported_fingerprint_prop
exported_overlay_prop
exported_pm_prop
exported_radio_prop
exported_secure_prop
exported_system_prop
exported_system_radio_prop
exported_vold_prop
exported_wifi_prop
exported2_config_prop
exported2_default_prop
exported2_radio_prop
exported2_system_prop
exported2_vold_prop
exported3_default_prop
exported3_radio_prop
exported3_system_prop
fastbootd
fingerprint_vendor_data_file
flags_health_check
flags_health_check_exec
fs_bpf
fwk_stats_hwservice
hal_atrace_hwservice
hal_audiocontrol_hwservice
hal_authsecret_hwservice
hal_broadcastradio_hwservice
hal_cas_hwservice
hal_codec2_hwservice
hal_confirmationui_hwservice
hal_evs_hwservice
hal_health_storage_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
hal_tetheroffload_hwservice
hal_wifi_hostapd_hwservice
hal_usb_gadget_hwservice
hal_vehicle_hwservice
hal_wifi_offload_hwservice
heapprofd
heapprofd_exec
heapprofd_socket
incident_helper
incident_helper_exec
iorapd
iorapd_data_file
iorapd_exec
iorapd_service
iorapd_tmpfs
kmsg_debug_device
last_boot_reason_prop
llkd
llkd_exec
llkd_prop
llkd_tmpfs
looper_stats_service
lowpan_device
lowpan_prop
lowpan_service
mediaswcodec
mediaswcodec_exec
mediaswcodec_tmpfs
mediaextractor_update_service
mediaprovider_tmpfs
metadata_file
mnt_product_file
mnt_vendor_file
netd_stable_secret_prop
network_stack
network_stack_service
network_watchlist_data_file
network_watchlist_service
overlayfs_file
package_native_service
perfetto
perfetto_exec
perfetto_tmpfs
perfetto_traces_data_file
perfprofd_service
property_info
recovery_socket
role_service
runas_app
runtime_service
secure_element
secure_element_device
secure_element_tmpfs
secure_element_service
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
slice_service
staging_data_file
stats
stats_data_file
stats_exec
stats_service
statsd
statsd_exec
statsd_tmpfs
statsdw
statsdw_socket
statscompanion_service
storaged_data_file
super_block_device
sysfs_fs_ext4_features
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
system_net_netd_hwservice
system_update_service
test_boot_reason_prop
thermal_service
thermalcallback_hwservice
thermalserviced
thermalserviced_exec
thermalserviced_tmpfs
time_prop
timedetector_service
timezone_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
trace_data_file
traceur_app
traceur_app_tmpfs
traced
traced_consumer_socket
traced_enabled_prop
traced_exec
traced_probes
traced_probes_exec
traced_probes_tmpfs
traced_producer_socket
traced_tmpfs
untrusted_app_all_devpts
update_engine_log_data_file
vendor_default_prop
vendor_security_patch_level_prop
uri_grants_service
usbd
usbd_exec
usbd_tmpfs
vendor_apex_file
vendor_init
vendor_shell
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
vrflinger_vsync_service
wait_for_keymaster
wait_for_keymaster_exec
wait_for_keymaster_tmpfs
watchdogd_tmpfs
wpantund
wpantund_exec
wpantund_service
wpantund_tmpfs
wm_trace_data_file))
;; private_objects - a collection of types that were labeled differently in
;; older policy, but that should not remain accessible to vendor policy.
;; Thus, these types are also not mapped, but recorded for checkapi tests
(type priv_objects)
(typeattribute priv_objects)
(typeattributeset priv_objects
( priv_objects
adbd_tmpfs
untrusted_app_27_tmpfs))

1505
prebuilts/api/29.0/private/compat/27.0/27.0.cil Normal file
View file

File diff suppressed because it is too large Load diff

4
prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil Normal file
View file

@ -0,0 +1,4 @@
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))

201
prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil Normal file
View file

@ -0,0 +1,201 @@
;; new_objects - a collection of types that have been introduced that have no
;; analogue in older policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
activity_task_service
adb_service
app_binding_service
apex_data_file
apex_metadata_file
apex_mnt_dir
apex_service
apexd
apexd_exec
apexd_prop
apexd_tmpfs
app_zygote
atrace
binder_calls_stats_service
biometric_service
blank_screen
blank_screen_exec
blank_screen_tmpfs
bootloader_boot_reason_prop
bluetooth_a2dp_offload_prop
bpfloader
bpfloader_exec
cgroup_bpf
charger_exec
color_display_service
content_capture_service
crossprofileapps_service
ctl_interface_restart_prop
ctl_interface_start_prop
ctl_interface_stop_prop
ctl_sigstop_prop
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
dnsresolver_service
exfat
exported2_config_prop
exported2_default_prop
exported2_radio_prop
exported2_system_prop
exported2_vold_prop
exported3_default_prop
exported3_radio_prop
exported3_system_prop
exported_audio_prop
exported_bluetooth_prop
exported_config_prop
exported_dalvik_prop
exported_default_prop
exported_dumpstate_prop
exported_ffs_prop
exported_fingerprint_prop
exported_overlay_prop
exported_pm_prop
exported_radio_prop
exported_secure_prop
exported_system_prop
exported_system_radio_prop
exported_vold_prop
exported_wifi_prop
fastbootd
flags_health_check
flags_health_check_exec
fingerprint_vendor_data_file
fs_bpf
fwk_stats_hwservice
hal_atrace_hwservice
hal_audiocontrol_hwservice
hal_authsecret_hwservice
hal_codec2_hwservice
hal_confirmationui_hwservice
hal_evs_hwservice
hal_health_storage_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_usb_gadget_hwservice
hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
heapprofd
heapprofd_exec
heapprofd_socket
incident_helper
incident_helper_exec
iorapd
iorapd_data_file
iorapd_exec
iorapd_service
iorapd_tmpfs
last_boot_reason_prop
llkd
llkd_exec
llkd_prop
llkd_tmpfs
looper_stats_service
lowpan_device
lowpan_prop
lowpan_service
mediaextractor_update_service
mediaswcodec
mediaswcodec_exec
mediaswcodec_tmpfs
metadata_file
mnt_product_file
mnt_vendor_file
network_stack
network_stack_service
network_watchlist_data_file
network_watchlist_service
overlayfs_file
perfetto
perfetto_exec
perfetto_tmpfs
perfetto_traces_data_file
perfprofd_service
property_info
recovery_socket
role_service
runas_app
runtime_service
secure_element
secure_element_device
secure_element_service
secure_element_tmpfs
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
slice_service
stats
stats_data_file
stats_exec
stats_service
statscompanion_service
statsd
statsd_exec
statsd_tmpfs
statsdw
statsdw_socket
storaged_data_file
super_block_device
staging_data_file
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
system_update_service
test_boot_reason_prop
time_prop
timedetector_service
tombstone_wifi_data_file
trace_data_file
traced
traced_consumer_socket
traced_enabled_prop
traced_exec
traced_probes
traced_probes_exec
traced_probes_tmpfs
traced_producer_socket
traced_tmpfs
traceur_app
traceur_app_tmpfs
untrusted_app_all_devpts
update_engine_log_data_file
uri_grants_service
usbd
usbd_exec
usbd_tmpfs
vendor_apex_file
vendor_default_prop
vendor_init
vendor_security_patch_level_prop
vendor_shell
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
vrflinger_vsync_service
wait_for_keymaster
wait_for_keymaster_exec
wait_for_keymaster_tmpfs
watchdogd_tmpfs
wm_trace_data_file
wpantund
wpantund_exec
wpantund_service
wpantund_tmpfs))
;; private_objects - a collection of types that were labeled differently in
;; older policy, but that should not remain accessible to vendor policy.
;; Thus, these types are also not mapped, but recorded for checkapi tests
(type priv_objects)
(typeattribute priv_objects)
(typeattributeset priv_objects
( priv_objects
untrusted_app_27_tmpfs))

1745
prebuilts/api/29.0/private/compat/28.0/28.0.cil Normal file
View file

File diff suppressed because it is too large Load diff

4
prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil Normal file
View file

@ -0,0 +1,4 @@
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))

149
prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil Normal file
View file

@ -0,0 +1,149 @@
;; new_objects - a collection of types that have been introduced that have no
;; analogue in older policy. Thus, we do not need to map these types to
;; previous ones. Add here to pass checkapi tests.
(type new_objects)
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
activity_task_service
adb_service
apex_data_file
apex_metadata_file
apex_mnt_dir
apex_service
apexd
apexd_exec
apexd_prop
apexd_tmpfs
appdomain_tmpfs
app_binding_service
app_prediction_service
app_zygote
app_zygote_tmpfs
ashmemd
ashmem_device_service
attention_service
biometric_service
bluetooth_audio_hal_prop
bpf_progs_loaded_prop
bugreport_service
cgroup_desc_file
cgroup_rc_file
charger_exec
content_capture_service
content_suggestions_service
cpu_variant_prop
ctl_gsid_prop
dev_cpu_variant
device_config_activity_manager_native_boot_prop
device_config_boot_count_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_reset_performed_prop
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
device_config_service
dnsresolver_service
dynamic_android_service
dynamic_system_prop
face_service
face_vendor_data_file
fastbootd
flags_health_check
flags_health_check_exec
fwk_bufferhub_hwservice
fwk_camera_hwservice
fwk_stats_hwservice
gpuservice
gsi_data_file
gsi_metadata_file
gsi_service
gsid
gsid_exec
gsid_prop
color_display_service
external_vibrator_service
hal_atrace_hwservice
hal_face_hwservice
hal_graphics_composer_server_tmpfs
hal_health_storage_hwservice
hal_input_classifier_hwservice
hal_power_stats_hwservice
heapprofd
heapprofd_enabled_prop
heapprofd_exec
heapprofd_prop
heapprofd_socket
idmap_service
iris_service
iris_vendor_data_file
llkd
llkd_exec
llkd_prop
llkd_tmpfs
looper_stats_service
lpdumpd
lpdumpd_exec
lpdumpd_prop
lpdump_service
iorapd
iorapd_exec
iorapd_data_file
iorapd_service
iorapd_tmpfs
mediaswcodec
mediaswcodec_exec
mediaswcodec_tmpfs
mnt_product_file
network_stack
network_stack_service
network_stack_tmpfs
nnapi_ext_deny_product_prop
overlayfs_file
password_slot_metadata_file
permissionmgr_service
postinstall_apex_mnt_dir
recovery_socket
role_service
rs
rs_exec
rss_hwm_reset
rss_hwm_reset_exec
runas_app
runas_app_tmpfs
runtime_service
sdcard_block_device
sensor_privacy_service
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
su_tmpfs
super_block_device
sysfs_fs_f2fs
system_bootstrap_lib_file
system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
system_suspend_control_service
system_trace_prop
staging_data_file
task_profiles_file
testharness_service
test_harness_prop
time_prop
timedetector_service
timezonedetector_service
traced_lazy_prop
uri_grants_service
use_memfd_prop
vendor_apex_file
vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
vendor_misc_writer
vendor_misc_writer_exec
vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))

207
prebuilts/api/29.0/private/coredomain.te Normal file
View file

@ -0,0 +1,207 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, exported_pm_prop)
full_treble_only(`
neverallow {
coredomain
# for chowning
-init
# generic access to sysfs_type
-ueventd
-vold
} sysfs_leds:file *;
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
coredomain
-appdomain
-dex2oat
-idmap
-init
-installd
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
} vendor_app_file:dir { open read getattr search };
')
full_treble_only(`
neverallow {
coredomain
-appdomain
-dex2oat
-idmap
-init
-installd
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-mediaserver
} vendor_app_file:file r_file_perms;
')
full_treble_only(`
# Limit access to /vendor/overlay
neverallow {
coredomain
-appdomain
-idmap
-init
-installd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:dir { getattr open read search };
')
full_treble_only(`
neverallow {
coredomain
-appdomain
-idmap
-init
-installd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:file r_file_perms;
')
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
full_treble_only(`
# /proc
neverallow {
coredomain
-init
-vold
} proc:file no_rw_file_perms;
# /sys
neverallow {
coredomain
-init
-ueventd
-vold
} sysfs:file no_rw_file_perms;
# /dev
neverallow {
coredomain
-fsck
-init
-ueventd
} device:{ blk_file file } no_rw_file_perms;
# debugfs
neverallow {
coredomain
-dumpstate
-init
-system_server
} debugfs:file no_rw_file_perms;
# tracefs
neverallow {
coredomain
-atrace
-dumpstate
-init
userdebug_or_eng(`-perfprofd')
-traced_probes
-shell
-traceur_app
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
} inotify:file no_rw_file_perms;
# pstorefs
neverallow {
coredomain
-bootstat
-charger
-dumpstate
-healthd
userdebug_or_eng(`-incidentd')
-init
-logd
-logpersist
-recovery_persist
-recovery_refresh
-shell
-system_server
} pstorefs:file no_rw_file_perms;
# configfs
neverallow {
coredomain
-init
-system_server
} configfs:file no_rw_file_perms;
# functionfs
neverallow {
coredomain
-adbd
-init
-mediaprovider
-system_server
} functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
# Following /dev nodes must not be directly accessed by coredomain, but should
# instead be wrapped by HALs.
neverallow coredomain {
iio_device
radio_device
}:chr_file { open read append write ioctl };
# TODO(b/120243891): HAL permission to tee_device is included into coredomain
# on non-Treble devices.
full_treble_only(`
neverallow coredomain tee_device:chr_file { open read append write ioctl };
')
# Allow access to ashmemd to request /dev/ashmem fds.
allow {
coredomain
-init
-iorapd
-perfprofd
} ashmem_device_service:service_manager find;
binder_call({
coredomain
-init
-iorapd
-perfprofd
}, ashmemd)

27
prebuilts/api/29.0/private/cppreopts.te Normal file
View file

@ -0,0 +1,27 @@
# cppreopts
#
# This command copies preopted files from the system_b partition to the data
# partition. This domain ensures that we are only copying into specific
# directories.
type cppreopts, domain, mlstrustedsubject, coredomain;
type cppreopts_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
# Allow cppreopts to execute itself using #!/system/bin/sh
allow cppreopts shell_exec:file rx_file_perms;
# Allow us to run find on /postinstall
allow cppreopts system_file:dir { open read };
# Allow running the cp command using cppreopts permissions. Needed so we can
# write into dalvik-cache
allow cppreopts toolbox_exec:file rx_file_perms;

49
prebuilts/api/29.0/private/crash_dump.te Normal file
View file

@ -0,0 +1,49 @@
typeattribute crash_dump coredomain;
# Crash dump does not need to access devices passed across exec().
dontaudit crash_dump { devpts dev_type }:chr_file { read write };
allow crash_dump {
domain
-apexd
-bpfloader
-crash_dump
-init
-kernel
-keystore
-llkd
-logd
-ueventd
-vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
###
### neverallow assertions
###
# ptrace neverallow assertions are spread throughout the other policy
# files, so we avoid adding redundant assertions here
neverallow crash_dump {
apexd
userdebug_or_eng(`-apexd')
bpfloader
init
kernel
keystore
llkd
userdebug_or_eng(`-llkd')
logd
userdebug_or_eng(`-logd')
ueventd
vendor_init
vold
userdebug_or_eng(`-vold')
}:process { signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;

84
prebuilts/api/29.0/private/dex2oat.te Normal file
View file

@ -0,0 +1,84 @@
# dex2oat
type dex2oat, domain, coredomain;
type dex2oat_exec, system_file_type, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file)
# Access to /vendor/app
r_dir_file(dex2oat, vendor_app_file)
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
allow dex2oat vendor_framework_file:file { getattr open read map };
allow dex2oat tmpfs:file { read getattr map };
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
# the oat file is symlinked to the original file in /system.
allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
allow dex2oat asec_apk_file:file { read map };
allow dex2oat unlabeled:file { read map };
allow dex2oat oemfs:file { read map };
allow dex2oat apk_tmp_file:dir search;
allow dex2oat apk_tmp_file:file r_file_perms;
allow dex2oat user_profile_data_file:file { getattr read lock map };
# Allow dex2oat to compile app's secondary dex files which were reported back to
# the framework.
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
##################
# A/B OTA Dexopt #
##################
# Allow dex2oat to use file descriptors from otapreopt.
allow dex2oat postinstall_dexopt:fd use;
# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
allow dex2oat postinstall_file:dir r_dir_perms;
allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file { getattr read };
allow dex2oat postinstall_file:file read;
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
allow dex2oat postinstall_file:file { execute getattr open };
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
allow dex2oat ota_data_file:file r_file_perms;
# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
# where the oat file is symlinked to the original file in /system.
allow dex2oat ota_data_file:lnk_file { create read };
# It would be nice to tie this down, but currently, because of how images are written, we can't
# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
# create them itself (and make them world-readable).
allow dex2oat ota_data_file:file { create w_file_perms setattr };
###############
# APEX Update #
###############
# /dev/zero is inherited.
allow dex2oat apexd:fd use;
# Allow dex2oat to use file descriptors from preinstall.
allow dex2oat art_apex_preinstall:fd use;
##############
# Neverallow #
##############
neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;

32
prebuilts/api/29.0/private/dexoptanalyzer.te Normal file
View file

@ -0,0 +1,32 @@
# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
#processes.
tmpfs_domain(dexoptanalyzer)
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };

4
prebuilts/api/29.0/private/dhcp.te Normal file
View file

@ -0,0 +1,4 @@
typeattribute dhcp coredomain;
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;

1
prebuilts/api/29.0/private/dnsmasq.te Normal file
View file

@ -0,0 +1 @@
typeattribute dnsmasq coredomain;

314
prebuilts/api/29.0/private/domain.te Normal file
View file

@ -0,0 +1,314 @@
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Allow every process to check the heapprofd.enable properties to determine
# whether to load the heap profiling library. This does not necessarily enable
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# Allow heap profiling on debug builds.
userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
domain
-bpfloader
-init
-kernel
-keystore
-llkd
-logd
-logpersist
-recovery
-recovery_persist
-recovery_refresh
-ueventd
-vendor_init
-vold
})')
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
get_prop(domain, core_property_type)
get_prop(domain, exported_dalvik_prop)
get_prop(domain, exported_ffs_prop)
get_prop(domain, exported_system_radio_prop)
get_prop(domain, exported2_config_prop)
get_prop(domain, exported2_radio_prop)
get_prop(domain, exported2_system_prop)
get_prop(domain, exported2_vold_prop)
get_prop(domain, exported3_default_prop)
get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
get_prop({coredomain appdomain shell}, core_property_type)
get_prop({coredomain appdomain shell}, exported_dalvik_prop)
get_prop({coredomain appdomain shell}, exported_ffs_prop)
get_prop({coredomain appdomain shell}, exported_system_radio_prop)
get_prop({coredomain appdomain shell}, exported2_config_prop)
get_prop({coredomain appdomain shell}, exported2_radio_prop)
get_prop({coredomain appdomain shell}, exported2_system_prop)
get_prop({coredomain appdomain shell}, exported2_vold_prop)
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
allow domain fsverity_init:key search;
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
')
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
-storaged
-system_server
userdebug_or_eng(`-perfprofd')
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
neverallow {
domain
-init
-vendor_init
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow { domain -init -system_server } dropbox_data_file:dir *;
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
###
# Services should respect app sandboxes
neverallow {
domain
-appdomain
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
# Only the following processes should be directly accessing private app
# directories.
neverallow {
domain
-adbd
-appdomain
-app_zygote
-dexoptanalyzer
-installd
userdebug_or_eng(`-perfprofd')
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
-viewcompiler
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
neverallow {
domain
-appdomain
-app_zygote
-installd
userdebug_or_eng(`-perfprofd')
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
neverallow {
domain
-appdomain
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
neverallow {
domain
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
# The staging directory contains APEX and APK files. It is important to ensure
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
{ append create relabelfrom rename setattr write no_x_file_perms };
neverallow {
domain
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few whitelisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
#
neverallow {
domain
-appdomain
with_asan(`-asan_extract')
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
-app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
} {
file_type
-system_file_type
-system_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
-postinstall_file
}:file execute;
# Only init is allowed to write cgroup.rc file
neverallow {
domain
-init
-vendor_init
} cgroup_rc_file:file no_w_file_perms;
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-otapreopt_slot
-art_apex_postinstall
-art_apex_boot_integrity
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
domain
-init
-installd
-postinstall_dexopt
-cppreopts
-dex2oat
-zygote
-otapreopt_slot
-art_apex_boot_integrity
-art_apex_postinstall
} dalvikcache_data_file:dir no_w_dir_perms;
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
dnsmasq
dumpstate
init
installd
install_recovery
userdebug_or_eng(`llkd')
lmkd
netd
perfprofd
postinstall_dexopt
recovery
rss_hwm_reset
sdcardd
tee
ueventd
uncrypt
vendor_init
vold
vold_prepare_subdirs
zygote
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
# have dac_override should also have dac_read_search to eliminate spurious
# denials. Some domains have dac_read_search without having dac_override, so
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
traced_probes
userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
neverallow {
domain
-apexd
recovery_only(`userdebug_or_eng(`-fastbootd')')
-init
-kernel
-otapreopt_chroot
-recovery
-update_engine
-vold
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
-kernel
-gsid
-init
-recovery
-ueventd
-healthd
-uncrypt
-tee
-hal_bootctl_server
} self:global_capability_class_set sys_rawio;

7
prebuilts/api/29.0/private/drmserver.te Normal file
View file

@ -0,0 +1,7 @@
typeattribute drmserver coredomain;
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
typeattribute drmserver_socket coredomain_socket;

52
prebuilts/api/29.0/private/dumpstate.te Normal file
View file

@ -0,0 +1,52 @@
typeattribute dumpstate coredomain;
init_daemon_domain(dumpstate)
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
allow dumpstate storaged_exec:file rx_file_perms;
# /data/misc/wmtrace for wm traces
userdebug_or_eng(`
allow dumpstate wm_trace_data_file:dir r_dir_perms;
allow dumpstate wm_trace_data_file:file r_file_perms;
')
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
# Allow dumpstate to make binder calls to statsd
binder_call(dumpstate, statsd)
# Allow dumpstate to talk to gpuservice over binder
binder_call(dumpstate, gpuservice);
# Allow dumpstate to talk to idmap over binder
binder_call(dumpstate, idmap);
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
# Signal native processes to dump their stack.
allow dumpstate {
statsd
netd
}:process signal;
# For collecting bugreports.
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
dontaudit dumpstate perfprofd:binder call;
dontaudit dumpstate update_engine:binder call;
allow dumpstate proc_net_tcp_udp:file r_file_perms;
# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)

102
prebuilts/api/29.0/private/ephemeral_app.te Normal file
View file

@ -0,0 +1,102 @@
###
### Ephemeral apps.
###
### This file defines the security policy for apps with the ephemeral
### feature.
###
### The ephemeral_app domain is a reduced permissions sandbox allowing
### ephemeral applications to be safely installed and run. Non ephemeral
### applications may also opt-in to ephemeral to take advantage of the
### additional security features.
###
### PackageManager flags an app as ephemeral at install time.
typeattribute ephemeral_app coredomain;
net_domain(ephemeral_app)
app_domain(ephemeral_app)
# Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
allow ephemeral_app app_data_file:file { r_file_perms execute };
# Follow priv-app symlinks. This is used for dynamite functionality.
allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
# Allow loading and deleting shared libraries created by trusted system
# components within an application home directory.
allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
allow ephemeral_app mediaserver_service:service_manager find;
allow ephemeral_app mediaextractor_service:service_manager find;
allow ephemeral_app mediacodec_service:service_manager find;
allow ephemeral_app mediametrics_service:service_manager find;
allow ephemeral_app mediadrmserver_service:service_manager find;
allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
allow ephemeral_app gpu_service:service_manager find;
# Allow ephemeral apps to interact with gpuservice
binder_call(ephemeral_app, gpuservice)
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow ephemeral_app traced:fd use;
allow ephemeral_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(ephemeral_app, traced_producer, traced)
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
can_profile_heap(ephemeral_app)
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow ephemeral_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
allow ephemeral_app ashmem_device:chr_file rw_file_perms;
###
### neverallow rules
###
neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
# Receive or send generic netlink messages
neverallow ephemeral_app domain:netlink_socket *;
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow ephemeral_app debugfs:file read;
# execute gpu_device
neverallow ephemeral_app gpu_device:chr_file execute;
# access files in /sys with the default sysfs label
neverallow ephemeral_app sysfs:file *;
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
neverallow ephemeral_app proc_net:file no_rw_file_perms;

1
prebuilts/api/29.0/private/fastbootd.te Normal file
View file

@ -0,0 +1 @@
typeattribute fastbootd coredomain;

22
prebuilts/api/29.0/private/file.te Normal file
View file

@ -0,0 +1,22 @@
# /proc/config.gz
type config_gz, fs_type, proc_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
# App executable files in /data/data directories
type app_exec_data_file, file_type, data_file_type, core_data_file_type;
typealias app_exec_data_file alias rs_data_file;
# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;

652
prebuilts/api/29.0/private/file_contexts Normal file
View file

@ -0,0 +1,652 @@
###########################################
# Root
/ u:object_r:rootfs:s0
# Data files
/adb_keys u:object_r:adb_keys_file:s0
/build\.prop u:object_r:rootfs:s0
/default\.prop u:object_r:rootfs:s0
/fstab\..* u:object_r:rootfs:s0
/init\..* u:object_r:rootfs:s0
/res(/.*)? u:object_r:rootfs:s0
/selinux_version u:object_r:rootfs:s0
/ueventd\..* u:object_r:rootfs:s0
/verity_key u:object_r:rootfs:s0
# Executables
/init u:object_r:init_exec:s0
/sbin(/.*)? u:object_r:rootfs:s0
# For kernel modules
/lib(/.*)? u:object_r:rootfs:s0
# Empty directories
/lost\+found u:object_r:rootfs:s0
/acct u:object_r:cgroup:s0
/config u:object_r:rootfs:s0
/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
# Symlinks
/bin u:object_r:rootfs:s0
/bugreports u:object_r:rootfs:s0
/charger u:object_r:rootfs:s0
/d u:object_r:rootfs:s0
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/product_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/product_property_contexts u:object_r:property_contexts_file:s0
/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
# Use nonplat_service_contexts_file to allow servicemanager to read it
# on non full-treble devices.
/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
##########################
# Devices
#
/dev(/.*)? u:object_r:device:s0
/dev/adf[0-9]* u:object_r:graphics_device:s0
/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
/dev/ashmem u:object_r:ashmem_device:s0
/dev/audio.* u:object_r:audio_device:s0
/dev/binder u:object_r:binder_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/vold/.+ u:object_r:vold_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/input(/.*)? u:object_r:input_device:s0
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
/dev/pmsg0 u:object_r:pmsg_device:s0
/dev/pn544 u:object_r:nfc_device:s0
/dev/port u:object_r:port_device:s0
/dev/ppp u:object_r:ppp_device:s0
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
/dev/rproc_user u:object_r:rpmsg_device:s0
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
/dev/socket/lmkd u:object_r:lmkd_socket:s0
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
/dev/socket/netd u:object_r:netd_socket:s0
/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
/dev/socket/heapprofd u:object_r:heapprofd_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
/dev/socket/blastula_pool u:object_r:zygote_socket:s0
/dev/socket/blastula_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
/dev/tun u:object_r:tun_device:s0
/dev/uhid u:object_r:uhid_device:s0
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
#############################
# System files
#
/system(/.*)? u:object_r:system_file:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
/system/bin/ld\.mc u:object_r:rs_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logcatd -- u:object_r:logcat_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/bootanimation u:object_r:bootanim_exec:s0
/system/bin/bootstat u:object_r:bootstat_exec:s0
/system/bin/app_process32 u:object_r:zygote_exec:s0
/system/bin/app_process64 u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
/system/bin/incident_helper u:object_r:incident_helper_exec:s0
/system/bin/iw u:object_r:iw_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/wificond u:object_r:wificond_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/perfprofd u:object_r:perfprofd_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/heapprofd u:object_r:heapprofd_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0
/system/bin/vdc u:object_r:vdc_exec:s0
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
/system/bin/install-recovery\.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
#############################
# Vendor files
#
/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
/(vendor|system/vendor)/manifest\.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
#############################
# OEM and ODM files
#
/(odm|vendor/odm)(/.*)? u:object_r:vendor_file:s0
/(odm|vendor/odm)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
/(odm|vendor/odm)/lib(64)?/hw u:object_r:vendor_hal_file:s0
/(odm|vendor/odm)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
/(odm|vendor/odm)/bin/sh u:object_r:vendor_shell_exec:s0
/(odm|vendor/odm)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(odm|vendor/odm)/app(/.*)? u:object_r:vendor_app_file:s0
/(odm|vendor/odm)/priv-app(/.*)? u:object_r:vendor_app_file:s0
/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
# Input configuration
/(odm|vendor|vendor/odm)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
/(odm|vendor|vendor/odm)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
/(odm|vendor|vendor/odm)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
/oem(/.*)? u:object_r:oemfs:s0
/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
# The precompiled monolithic sepolicy will be under /odm only when
# BOARD_USES_ODMIMAGE is true: a separate odm.img is built.
/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
# Product files
#
/(product|system/product)(/.*)? u:object_r:system_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
# Product-Services files
#
/(product_services|system/product_services)(/.*)? u:object_r:system_file:s0
/(product_services|system/product_services)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
# NOTE: For additional vendor file contexts for vendor overlay files,
# use device specific file_contexts.
#
/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0
#############################
# Data files
#
# NOTE: When modifying existing label rules, changes may also need to
# propagate to the "Expanded data files" section.
#
/data(/.*)? u:object_r:system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
/data/.layout_version u:object_r:install_data_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/ota(/.*)? u:object_r:ota_data_file:s0
/data/ota_package(/.*)? u:object_r:ota_package_file:s0
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/apex(/.*)? u:object_r:apex_data_file:s0
/data/apex/active/(.*)? u:object_r:staging_data_file:s0
/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
# This directory was removed after Q Beta 2, but we need to preserve labels for upgrading devices.
/data/pkg_staging(/.*)? u:object_r:staging_data_file:s0
/data/property(/.*)? u:object_r:property_data_file:s0
/data/preloads(/.*)? u:object_r:preloads_data_file:s0
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
/data/app-staging(/.*)? u:object_r:staging_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
# Fingerprint vendor data file
/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
# Face vendor data file
/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
# Iris vendor data file
/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
#############################
# Expanded data files
#
/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
# Wallpaper files
/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
# Ringtone files
/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
# ShortcutManager icons, e.g.
# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
# User icon files
/data/system/users/[0-9]+/photo\.png u:object_r:icon_file:s0
# vold per-user data
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
# iorapd per-user data
/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
# Backup service persistent per-user bookkeeping
/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
# Backup service temporary per-user data for inter-change with apps
/data/system_ce/[0-9]+/backup_stage(/.*)? u:object_r:backup_data_file:s0
#############################
# efs files
#
/efs(/.*)? u:object_r:efs_file:s0
#############################
# Cache files
#
/cache(/.*)? u:object_r:cache_file:s0
/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
# General backup/restore interchange with apps
/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
# LocalTransport (backup) uses this subtree
/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
#############################
# Overlayfs support directories
#
/cache/overlay(/.*)? u:object_r:overlayfs_file:s0
/mnt/scratch(/.*)? u:object_r:overlayfs_file:s0
/data/cache(/.*)? u:object_r:cache_file:s0
/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
# General backup/restore interchange with apps
/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
# LocalTransport (backup) uses this subtree
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
#############################
# Metadata files
#
/metadata(/.*)? u:object_r:metadata_file:s0
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
/data/app-asec(/.*)? u:object_r:asec_image_file:s0
#############################
# external storage
/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
#############################
# mount point for read-write vendor partitions
/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0

12
prebuilts/api/29.0/private/file_contexts_asan Normal file
View file

@ -0,0 +1,12 @@
/data/asan/system/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/system/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/vendor/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/vendor/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/odm/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
/system/asan.options u:object_r:system_asan_options_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
/system/bin/asan/app_process u:object_r:zygote_exec:s0
/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
/system/bin/asan/app_process64 u:object_r:zygote_exec:s0

9
prebuilts/api/29.0/private/file_contexts_overlayfs Normal file
View file

@ -0,0 +1,9 @@
#############################
# Overlayfs support directories for userdebug/eng devices
#
/cache/overlay/(system|product)/upper u:object_r:system_file:s0
/cache/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
/cache/overlay/oem/upper u:object_r:vendor_file:s0
/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0
/mnt/scratch/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
/mnt/scratch/overlay/oem/upper u:object_r:vendor_file:s0

3
prebuilts/api/29.0/private/fingerprintd.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute fingerprintd coredomain;
init_daemon_domain(fingerprintd)

3
prebuilts/api/29.0/private/flags_health_check.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute flags_health_check coredomain;
init_daemon_domain(flags_health_check)

25
prebuilts/api/29.0/private/fs_use Normal file
View file

@ -0,0 +1,25 @@
# Label inodes via getxattr.
fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
fs_use_xattr jffs2 u:object_r:labeledfs:s0;
fs_use_xattr ext2 u:object_r:labeledfs:s0;
fs_use_xattr ext3 u:object_r:labeledfs:s0;
fs_use_xattr ext4 u:object_r:labeledfs:s0;
fs_use_xattr xfs u:object_r:labeledfs:s0;
fs_use_xattr btrfs u:object_r:labeledfs:s0;
fs_use_xattr f2fs u:object_r:labeledfs:s0;
fs_use_xattr squashfs u:object_r:labeledfs:s0;
fs_use_xattr overlay u:object_r:labeledfs:s0;
fs_use_xattr erofs u:object_r:labeledfs:s0;
# Label inodes from task label.
fs_use_task pipefs u:object_r:pipefs:s0;
fs_use_task sockfs u:object_r:sockfs:s0;
# Label inodes from combination of task label and fs label.
# Define type_transition rules if you want per-domain types.
fs_use_trans devpts u:object_r:devpts:s0;
fs_use_trans tmpfs u:object_r:tmpfs:s0;
fs_use_trans devtmpfs u:object_r:device:s0;
fs_use_trans shm u:object_r:shm:s0;
fs_use_trans mqueue u:object_r:mqueue:s0;

5
prebuilts/api/29.0/private/fsck.te Normal file
View file

@ -0,0 +1,5 @@
typeattribute fsck coredomain;
init_daemon_domain(fsck)
allow fsck metadata_block_device:blk_file rw_file_perms;

1
prebuilts/api/29.0/private/fsck_untrusted.te Normal file
View file

@ -0,0 +1 @@
typeattribute fsck_untrusted coredomain;

25
prebuilts/api/29.0/private/fsverity_init.te Normal file
View file

@ -0,0 +1,25 @@
type fsverity_init, domain, coredomain;
type fsverity_init_exec, exec_type, file_type, system_file_type;
init_daemon_domain(fsverity_init)
# Allow this shell script to run and execute toybox
allow fsverity_init shell_exec:file rx_file_perms;
allow fsverity_init toolbox_exec:file rx_file_perms;
# Allow to read /proc/keys for searching key id.
allow fsverity_init proc_keys:file r_file_perms;
# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
dontaudit fsverity_init init:key view;
dontaudit fsverity_init vold:key view;
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };
# Allow init to write to /proc/sys/fs/verity/require_signatures
allow fsverity_init proc_fs_verity:file w_file_perms;
# When kernel requests an algorithm, the crypto API first looks for an
# already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates.
dontaudit fsverity_init kernel:system module_request;

8
prebuilts/api/29.0/private/fwk_bufferhub.te Normal file
View file

@ -0,0 +1,8 @@
type fwk_bufferhub, domain, coredomain;
type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
allow fwk_bufferhub ion_device:chr_file r_file_perms;
hal_server_domain(fwk_bufferhub, hal_bufferhub)
init_daemon_domain(fwk_bufferhub)

3
prebuilts/api/29.0/private/gatekeeperd.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute gatekeeperd coredomain;
init_daemon_domain(gatekeeperd)

296
prebuilts/api/29.0/private/genfs_contexts Normal file
View file

@ -0,0 +1,296 @@
# Label inodes with the fs label.
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
genfscon proc /softirqs u:object_r:proc_timer:s0
genfscon proc /stat u:object_r:proc_stat:s0
genfscon proc /swaps u:object_r:proc_swaps:s0
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0
genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0
genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/random u:object_r:proc_random:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
genfscon cgroup2 / u:object_r:cgroup_bpf:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
genfscon tracefs /trace u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
genfscon esdfs / u:object_r:sdcardfs:s0
genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0

41
prebuilts/api/29.0/private/gpuservice.te Normal file
View file

@ -0,0 +1,41 @@
# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
binder_call(gpuservice, adbd)
binder_call(gpuservice, shell)
binder_use(gpuservice)
# Access the GPU.
allow gpuservice gpu_device:chr_file rw_file_perms;
# GPU service will need to load GPU driver, for example Vulkan driver in order
# to get the capability of the driver.
allow gpuservice same_process_hal_file:file { open read getattr execute map };
allow gpuservice ion_device:chr_file r_file_perms;
get_prop(gpuservice, hwservicemanager_prop)
hwbinder_use(gpuservice)
# Access /dev/graphics/fb0.
allow gpuservice graphics_device:dir search;
allow gpuservice graphics_device:chr_file rw_file_perms;
# Needed for dumpsys pipes.
allow gpuservice shell:fifo_file write;
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow gpuservice adbd:unix_stream_socket { read write getattr };
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
# Needed for dumpstate to dumpsys gpu.
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')

132
prebuilts/api/29.0/private/gsid.te Normal file
View file

@ -0,0 +1,132 @@
# gsid - Manager for GSI Installation
type gsid, domain;
type gsid_exec, exec_type, file_type, system_file_type;
typeattribute gsid coredomain;
init_daemon_domain(gsid)
binder_use(gsid)
binder_service(gsid)
add_service(gsid, gsi_service)
set_prop(gsid, gsid_prop)
# Needed to create/delete device-mapper nodes, and read/write to them.
allow gsid dm_device:chr_file rw_file_perms;
allow gsid dm_device:blk_file rw_file_perms;
allow gsid self:global_capability_class_set sys_admin;
dontaudit gsid self:global_capability_class_set dac_override;
# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
# file names.
allow gsid sysfs_dm:dir r_dir_perms;
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
# to get the A/B slot suffix).
allow gsid proc_cmdline:file r_file_perms;
allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
allow gsid sysfs_dt_firmware_android:file r_file_perms;
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir r_dir_perms;
# liblp queries these block alignment properties.
allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
BLKIOMIN
BLKALIGNOFF
};
# When installing images to an sdcard, gsid needs to be able to stat() the
# block device. gsid also calls realpath() to remove symlinks.
allow gsid mnt_media_rw_file:dir r_dir_perms;
# When installing images to an sdcard, gsid must bypass sdcardfs and install
# directly to vfat, which supports the FIBMAP ioctl.
allow gsid vfat:dir rw_dir_perms;
allow gsid vfat:file create_file_perms;
allow gsid sdcard_block_device:blk_file r_file_perms;
# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
# requirement, but the kernel does not implement FIEMAP support for VFAT.
allow gsid self:global_capability_class_set sys_rawio;
# gsi_tool passes the system image over the adb connection, via stdin.
allow gsid adbd:fd use;
# Needed when running gsi_tool through "su root" rather than adb root.
allow gsid adbd:unix_stream_socket rw_socket_perms;
neverallow { domain -gsid -init } gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
# first-stage init. So instead of directly writing to /data, we:
#
# 1. fallocate a file large enough to hold the signed GSI
# 2. extract its block layout with FIEMAP
# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
# 4. write system_gsi into that dm device
#
# To make this process work, we need to unwrap the device-mapper stacking for
# userdata to reach the underlying block device. To verify the result we use
# stat(), which requires read access.
allow gsid userdata_block_device:blk_file r_file_perms;
# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
# init. It cannot use userdata since data cannot be decrypted during this
# stage.
#
# gsid uses /metadata/gsi to store three files:
# install_status - A short string indicating whether a GSI image is bootable.
# lp_metadata - LpMetadata blob describing the block ranges on userdata
# where system_gsi resides.
# booted - An empty file that, if exists, indicates that a GSI is
# currently running.
#
allow gsid metadata_file:dir search;
allow gsid gsi_metadata_file:dir rw_dir_perms;
allow gsid gsi_metadata_file:file create_file_perms;
allow gsid gsi_data_file:dir rw_dir_perms;
allow gsid gsi_data_file:file create_file_perms;
allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
neverallow {
domain
-init
-gsid
-fastbootd
-vold
} gsi_metadata_file:dir *;
neverallow {
domain
-init
-gsid
-fastbootd
-vold
} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow {
domain
-init
-gsid
-fastbootd
-vold
} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
neverallow {
domain
-gsid
} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow {
domain
-init
-gsid
} gsi_data_file:dir *;
neverallow {
domain
-gsid
} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };

8
prebuilts/api/29.0/private/hal_allocator_default.te Normal file
View file

@ -0,0 +1,8 @@
type hal_allocator_default, domain, coredomain;
hal_server_domain(hal_allocator_default, hal_allocator)
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
# To talk to ashmemd
binder_use(hal_allocator_default)

13
prebuilts/api/29.0/private/halclientdomain.te Normal file
View file

@ -0,0 +1,13 @@
###
### Rules for all domains which are clients of a HAL
###
# Find out whether a HAL in passthrough/in-process mode or
# binderized/out-of-process mode
hwbinder_use(halclientdomain)
# Used to wait for hwservicemanager
get_prop(halclientdomain, hwservicemanager_prop)
# Wait for HAL server to be up (used by getService)
allow halclientdomain hidl_manager_hwservice:hwservice_manager find;

12
prebuilts/api/29.0/private/halserverdomain.te Normal file
View file

@ -0,0 +1,12 @@
###
### Rules for all domains which offer a HAL service over HwBinder
###
# Register the HAL service with hwservicemanager
hwbinder_use(halserverdomain)
# Find HAL implementations
allow halserverdomain system_file:dir r_dir_perms;
# Used to wait for hwservicemanager
get_prop(halserverdomain, hwservicemanager_prop)

6
prebuilts/api/29.0/private/healthd.te Normal file
View file

@ -0,0 +1,6 @@
typeattribute healthd coredomain;
init_daemon_domain(healthd)
# Allow healthd to serve health HAL
hal_server_domain(healthd, hal_health)

77
prebuilts/api/29.0/private/heapprofd.te Normal file
View file

@ -0,0 +1,77 @@
# Android heap profiling daemon. go/heapprofd.
#
# On user builds, this daemon is responsible for receiving the initial
# profiling configuration, finding matching target processes (if profiling by
# process name), and sending the activation signal to them (+ setting system
# properties for new processes to start profiling from startup). When profiling
# is triggered in a process, it spawns a private heapprofd subprocess (in its
# own SELinux domain), which will exclusively handle profiling of its parent.
#
# On debug builds, this central daemon performs profiling for all target
# processes (which talk directly to this daemon).
type heapprofd_exec, exec_type, file_type, system_file_type;
type heapprofd_tmpfs, file_type;
init_daemon_domain(heapprofd)
tmpfs_domain(heapprofd)
# Allow apps in other MLS contexts (for multi-user) to access
# shared memory buffers created by heapprofd.
typeattribute heapprofd_tmpfs mlstrustedobject;
set_prop(heapprofd, heapprofd_prop);
# Necessary for /proc/[pid]/cmdline access & sending signals.
typeattribute heapprofd mlstrustedsubject;
# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
# SIGCHLD, which are controlled by separate permissions.
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
# profiling, only whitelisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
# Write trace data to the Perfetto traced daemon. This requires connecting to
# its producer socket and obtaining a (per-process) tmpfs fd.
allow heapprofd traced:fd use;
allow heapprofd traced_tmpfs:file { read write getattr map };
unix_socket_connect(heapprofd, traced_producer, traced)
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
userdebug_or_eng(`
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
')
# This is going to happen on user but is benign because central heapprofd
# does not actually need these permission.
# If the dac_read_search capability check is rejected, the kernel then tries
# to perform a dac_override capability check, so we need to dontaudit that
# as well.
dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
never_profile_heap(`{
bpfloader
init
kernel
keystore
llkd
logd
ueventd
vendor_init
vold
}')
full_treble_only(`
neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
')

82
prebuilts/api/29.0/private/hwservice_contexts Normal file
View file

@ -0,0 +1,82 @@
android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0
android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
android.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0
android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
android.hardware.input.classifier::IInputClassifier u:object_r:hal_input_classifier_hwservice:s0
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0
android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0
android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
android.hardware.neuralnetworks::IDevice u:object_r:hal_neuralnetworks_hwservice:s0
android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
android.hardware.power.stats::IPowerStats u:object_r:hal_power_stats_hwservice:s0
android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0
android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0
android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0
android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0
android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
* u:object_r:default_android_hwservice:s0

8
prebuilts/api/29.0/private/hwservicemanager.te Normal file
View file

@ -0,0 +1,8 @@
typeattribute hwservicemanager coredomain;
init_daemon_domain(hwservicemanager)
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
set_prop(hwservicemanager, ctl_interface_start_prop)

3
prebuilts/api/29.0/private/idmap.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute idmap coredomain;
init_daemon_domain(idmap)

30
prebuilts/api/29.0/private/incident.te Normal file
View file

@ -0,0 +1,30 @@
typeattribute incident coredomain;
type incident_exec, system_file_type, exec_type, file_type;
# switch to incident domain for incident command
domain_auto_trans(shell, incident_exec, incident)
# allow incident access to stdout from its parent shell.
allow incident shell:fd use;
# allow incident be able to output data for CTS to fetch.
allow incident devpts:chr_file { read write };
# allow incident to communicate use, read and write over the adb
# connection.
allow incident adbd:fd use;
allow incident adbd:unix_stream_socket { read write };
# allow adbd to reap incident
allow incident adbd:process { sigchld };
# Allow the incident command to talk to the incidentd over the binder, and get
# back the incident report data from a ParcelFileDescriptor.
binder_use(incident)
allow incident incident_service:service_manager find;
binder_call(incident, incidentd)
allow incident incidentd:fifo_file write;
# only allow incident being called by shell
neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans };

14
prebuilts/api/29.0/private/incident_helper.te Normal file
View file

@ -0,0 +1,14 @@
typeattribute incident_helper coredomain;
type incident_helper_exec, system_file_type, exec_type, file_type;
# switch to incident_helper domain for incident_helper command
domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
# use pipe to transmit data from/to incidentd/incident_helper for parsing
allow incident_helper { shell incident incidentd dumpstate }:fd use;
allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write };
allow incident_helper incidentd:unix_stream_socket { read write };
# only allow incidentd and shell to call incident_helper
neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };

177
prebuilts/api/29.0/private/incidentd.te Normal file
View file

@ -0,0 +1,177 @@
typeattribute incidentd coredomain;
typeattribute incidentd mlstrustedsubject;
init_daemon_domain(incidentd)
type incidentd_exec, system_file_type, exec_type, file_type;
binder_use(incidentd)
wakelock_use(incidentd)
# Allow incidentd to scan through /proc/pid for all processes
r_dir_file(incidentd, domain)
# Allow incidentd to kill incident_helper when timeout
allow incidentd incident_helper:process sigkill;
# Allow executing files on system, such as:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow incidentd system_file:file execute_no_trans;
allow incidentd toolbox_exec:file rx_file_perms;
# section id 1002, allow reading kernel version /proc/version
allow incidentd proc_version:file r_file_perms;
# section id 2001, allow reading /proc/pagetypeinfo
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
allow incidentd debugfs_wakeup_sources:file r_file_perms;
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
allow incidentd sysfs_devices_system_cpu:file r_file_perms;
# section id 2005, allow reading ps dump in full
allow incidentd domain:process getattr;
# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
allow incidentd sysfs_batteryinfo:dir { search };
allow incidentd sysfs_batteryinfo:file r_file_perms;
# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
userdebug_or_eng(`allow incidentd pstorefs:dir search');
userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
# section id 3023, allow obtaining stats report
allow incidentd stats_service:service_manager find;
binder_call(incidentd, statsd)
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
# Enable incidentd to get stack traces.
binder_use(incidentd)
hwbinder_use(incidentd)
allow incidentd hwservicemanager:hwservice_manager { list };
get_prop(incidentd, hwservicemanager_prop)
allow incidentd hidl_manager_hwservice:hwservice_manager { find };
# Read files in /proc
allow incidentd {
proc_cmdline
proc_pipe_conf
proc_stat
}:file r_file_perms;
# Signal java processes to dump their stack and get the results
allow incidentd { appdomain ephemeral_app system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in incidentd/utils.c
allow incidentd {
# This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
audioserver
cameraserver
drmserver
inputflinger
mediadrmserver
mediaextractor
mediametrics
mediaserver
sdcardd
statsd
surfaceflinger
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
hal_omx_server
hal_sensors_server
hal_vr_server
}:process signal;
# Allow incidentd to make binder calls to any binder service
binder_call(incidentd, system_server)
binder_call(incidentd, appdomain)
# Reading /proc/PID/maps of other processes
userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
# incidentd has capability sys_ptrace, but should only use that capability for
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow incidentd *:process ptrace;
allow incidentd self:global_capability_class_set {
# Send signals to processes
kill
};
# Connect to tombstoned to intercept dumps.
unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
# Run a shell.
allow incidentd shell_exec:file rx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
allow incidentd {
system_server_service
app_api_service
system_api_service
}:service_manager find;
# Only incidentd can publish the binder service
add_service(incidentd, incident_service)
# Allow pipes only from dumpstate and incident
allow incidentd { dumpstate incident }:fd use;
allow incidentd { dumpstate incident }:fifo_file write;
# Allow incident to call back to incident with status updates.
binder_call(incidentd, incident)
###
### neverallow rules
###
# only dumpstate, system_server, system_app and incident command can find the incident service
neverallow {
domain
-dumpstate
-incident
-incidentd
-priv_app
-statsd
-system_app
-system_server
} incident_service:service_manager find;
# only incidentd and the other root services in limited circumstances
# can get to the files in /data/misc/incidents
#
# write, execute, append are forbidden almost everywhere
neverallow { domain -incidentd -init -vold } incident_data_file:file {
w_file_perms
x_file_perms
create
rename
setattr
unlink
append
};
# read is also allowed by system_server, for when the file is handed to dropbox
neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
# limited access to the directory itself
neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;

34
prebuilts/api/29.0/private/init.te Normal file
View file

@ -0,0 +1,34 @@
typeattribute init coredomain;
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, charger_exec, charger)
domain_auto_trans(init, e2fs_exec, e2fs)
domain_auto_trans(init, bpfloader_exec, bpfloader)
recovery_only(`
# Files in recovery image are labeled as rootfs.
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, vendor_init)
domain_trans(init, { rootfs toolbox_exec }, modprobe)
userdebug_or_eng(`
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
domain_auto_trans(init, logcat_exec, logpersist)
# allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
allow init su:process transition;
dontaudit init su:process noatsecure;
allow init su:process { siginh rlimitinh };
')
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)

27
prebuilts/api/29.0/private/initial_sid_contexts Normal file
View file

@ -0,0 +1,27 @@
sid kernel u:r:kernel:s0
sid security u:object_r:kernel:s0
sid unlabeled u:object_r:unlabeled:s0
sid fs u:object_r:labeledfs:s0
sid file u:object_r:unlabeled:s0
sid file_labels u:object_r:unlabeled:s0
sid init u:object_r:unlabeled:s0
sid any_socket u:object_r:unlabeled:s0
sid port u:object_r:port:s0
sid netif u:object_r:netif:s0
sid netmsg u:object_r:unlabeled:s0
sid node u:object_r:node:s0
sid igmp_packet u:object_r:unlabeled:s0
sid icmp_socket u:object_r:unlabeled:s0
sid tcp_socket u:object_r:unlabeled:s0
sid sysctl_modprobe u:object_r:unlabeled:s0
sid sysctl u:object_r:proc:s0
sid sysctl_fs u:object_r:unlabeled:s0
sid sysctl_kernel u:object_r:unlabeled:s0
sid sysctl_net u:object_r:unlabeled:s0
sid sysctl_net_unix u:object_r:unlabeled:s0
sid sysctl_vm u:object_r:unlabeled:s0
sid sysctl_dev u:object_r:unlabeled:s0
sid kmod u:object_r:unlabeled:s0
sid policy u:object_r:unlabeled:s0
sid scmp_packet u:object_r:unlabeled:s0
sid devnull u:object_r:null_device:s0

35
prebuilts/api/29.0/private/initial_sids Normal file
View file

@ -0,0 +1,35 @@
# FLASK
#
# Define initial security identifiers
#
sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull
# FLASK

3
prebuilts/api/29.0/private/inputflinger.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute inputflinger coredomain;
init_daemon_domain(inputflinger)

3
prebuilts/api/29.0/private/install_recovery.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute install_recovery coredomain;
init_daemon_domain(install_recovery)

41
prebuilts/api/29.0/private/installd.te Normal file
View file

@ -0,0 +1,41 @@
typeattribute installd coredomain;
init_daemon_domain(installd)
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
# Run viewcompiler in its own sandbox.
domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
# Run profman in its own sandbox.
domain_auto_trans(installd, profman_exec, profman)
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
# For collecting bugreports.
allow installd dumpstate:fd use;
allow installd dumpstate:fifo_file r_file_perms;
# Delete /system/bin/bcc generated artifacts
allow installd app_exec_data_file:file unlink;
# Capture userdata snapshots to /data/misc_[ce|de]/rollback and
# subsequently restore them.
allow installd rollback_data_file:dir create_dir_perms;
allow installd rollback_data_file:file create_file_perms;
# Allow installd to access the runtime feature flag properties.
get_prop(installd, device_config_runtime_native_prop)
get_prop(installd, device_config_runtime_native_boot_prop)
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };

4
prebuilts/api/29.0/private/iorapd.te Normal file
View file

@ -0,0 +1,4 @@
typeattribute iorapd coredomain;
init_daemon_domain(iorapd)
tmpfs_domain(iorapd)

153
prebuilts/api/29.0/private/isolated_app.te Normal file
View file

@ -0,0 +1,153 @@
###
### Services with isolatedProcess=true in their manifest.
###
### This file defines the rules for isolated apps. An "isolated
### app" is an APP with UID between AID_ISOLATED_START (99000)
### and AID_ISOLATED_END (99999).
###
typeattribute isolated_app coredomain;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
allow isolated_app webviewupdate_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
# b/20150694
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app self:process ptrace;
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
# by other processes. Open should never be allowed, and is blocked by
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
# webview_zygote process. These rules are specialized copies of the ones in app.te.
# Inherit FDs from the webview_zygote.
allow isolated_app webview_zygote:fd use;
# Notify webview_zygote of child death.
allow isolated_app webview_zygote:process sigchld;
# Inherit logd write socket.
allow isolated_app webview_zygote:unix_dgram_socket write;
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;
# Inherit FDs from the app_zygote.
allow isolated_app app_zygote:fd use;
# Notify app_zygote of child death.
allow isolated_app app_zygote:process sigchld;
# Inherit logd write socket.
allow isolated_app app_zygote:unix_dgram_socket write;
# TODO (b/63631799) fix this access
# suppress denials to /data/local/tmp
dontaudit isolated_app shell_data_file:dir search;
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow isolated_app traced:fd use;
allow isolated_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(isolated_app, traced_producer, traced)
# Allow heap profiling if the main app has been marked as profileable or
# debuggable.
can_profile_heap(isolated_app)
allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
#####
##### Neverallow
#####
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app { app_data_file privapp_data_file }:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
neverallow isolated_app anr_data_file:file ~{ open append };
neverallow isolated_app anr_data_file:dir ~search;
# Isolated apps must not be permitted to use HwBinder
neverallow isolated_app hwbinder_device:chr_file *;
neverallow isolated_app *:hwservice_manager *;
# Isolated apps must not be permitted to use VndBinder
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
# except the find actions for services whitelisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
# Isolated apps can only access three services,
# activity_service, display_service, webviewupdate_service, and
# ashmem_device_service.
neverallow isolated_app {
service_manager_type
-activity_service
-ashmem_device_service
-display_service
-webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
# Do not allow isolated_app access to /cache
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };
# Do not allow isolated_app to access external storage, except for files passed
# via file descriptors (b/32896414).
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket.
neverallow isolated_app webview_zygote:sock_file write;
# Limit the /sys files which isolated_app can access. This is important
# for controlling isolated_app attack surface.
neverallow isolated_app {
sysfs_type
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
# List taken from system/sepolicy/public/global_macros - socket_class_set
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
neverallow isolated_app self:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
qipcrtr_socket smc_socket xdp_socket
} create;

4
prebuilts/api/29.0/private/iw.te Normal file
View file

@ -0,0 +1,4 @@
type iw, domain, coredomain;
type iw_exec, system_file_type, exec_type, file_type;
init_daemon_domain(iw)

8
prebuilts/api/29.0/private/kernel.te Normal file
View file

@ -0,0 +1,8 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
allow kernel otapreopt_chroot:fd use;
allow kernel postinstall_file:file read;

28
prebuilts/api/29.0/private/keys.conf Normal file
View file

@ -0,0 +1,28 @@
#
# Maps an arbitrary tag [TAGNAME] with the string contents found in
# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
# name it after the base file name of the pem file.
#
# Each tag (section) then allows one to specify any string found in
# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
#
[@PLATFORM]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
[@MEDIA]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
[@NETWORK_STACK]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/networkstack.x509.pem
[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
# Example of ALL TARGET_BUILD_VARIANTS
[@RELEASE]
ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem

19
prebuilts/api/29.0/private/keystore.te Normal file
View file

@ -0,0 +1,19 @@
typeattribute keystore coredomain;
init_daemon_domain(keystore)
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
# talk to confirmationui
hal_client_domain(keystore, hal_confirmationui)
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
# Offer the Wifi Keystore HwBinder service
typeattribute keystore wifi_keystore_service_server;
add_hwservice(keystore, system_wifi_keystore_hwservice)
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)

53
prebuilts/api/29.0/private/llkd.te Normal file
View file

@ -0,0 +1,53 @@
# llkd Live LocK Daemon
typeattribute llkd coredomain;
init_daemon_domain(llkd)
get_prop(llkd, llkd_prop)
allow llkd self:global_capability_class_set kill;
userdebug_or_eng(`
allow llkd self:global_capability_class_set sys_ptrace;
allow llkd self:global_capability_class_set { dac_override dac_read_search };
')
# llkd optionally locks itself in memory, to prevent it from being
# swapped out and unable to discover a kernel in live-lock state.
allow llkd self:global_capability_class_set ipc_lock;
# Send kill signals to _anyone_ suffering from Live Lock
allow llkd domain:process sigkill;
# read stack to check for Live Lock
userdebug_or_eng(`
allow llkd {
domain
-apexd
-kernel
-keystore
-init
-llkd
-ueventd
-vendor_init
}:process ptrace;
')
# live lock watchdog process allowed to look through /proc/
allow llkd domain:dir r_dir_perms;
allow llkd domain:file r_file_perms;
allow llkd domain:lnk_file read;
# Set /proc/sys/kernel/hung_task_*
allow llkd proc_hung_task:file rw_file_perms;
# live lock watchdog process allowed to dump process trace and
# reboot because orderly shutdown may not be possible.
allow llkd proc_sysrq:file w_file_perms;
allow llkd kmsg_device:chr_file w_file_perms;
### neverallow rules
neverallow { domain -init } llkd:process { dyntransition transition };
neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
# never honor LD_PRELOAD
neverallow * llkd:process noatsecure;

3
prebuilts/api/29.0/private/lmkd.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute lmkd coredomain;
init_daemon_domain(lmkd)

37
prebuilts/api/29.0/private/logd.te Normal file
View file

@ -0,0 +1,37 @@
typeattribute logd coredomain;
init_daemon_domain(logd)
# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
neverallow logd {
file_type
-runtime_event_log_tags_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
}:file { create write append };
# protect the event-log-tags file
neverallow {
domain
-appdomain # covered below
-bootstat
-dumpstate
-init
-logd
userdebug_or_eng(`-logpersist')
-servicemanager
-system_server
-surfaceflinger
-zygote
} runtime_event_log_tags_file:file no_rw_file_perms;
neverallow {
appdomain
-bluetooth
-platform_app
-priv_app
-radio
-shell
userdebug_or_eng(`-su')
-system_app
} runtime_event_log_tags_file:file no_rw_file_perms;

24
prebuilts/api/29.0/private/logpersist.te Normal file
View file

@ -0,0 +1,24 @@
typeattribute logpersist coredomain;
# android debug log storage in logpersist domains (eng and userdebug only)
userdebug_or_eng(`
r_dir_file(logpersist, cgroup)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
allow logpersist self:global_capability_class_set sys_nice;
allow logpersist pstorefs:dir search;
allow logpersist pstorefs:file r_file_perms;
control_logd(logpersist)
unix_socket_connect(logpersist, logdr, logd)
read_runtime_log_tags(logpersist)
')
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };

41
prebuilts/api/29.0/private/lpdumpd.te Normal file
View file

@ -0,0 +1,41 @@
type lpdumpd, domain, coredomain;
type lpdumpd_exec, system_file_type, exec_type, file_type;
init_daemon_domain(lpdumpd)
# Allow lpdumpd to register itself as a service.
binder_use(lpdumpd)
add_service(lpdumpd, lpdump_service)
# Allow lpdumpd to find the super partition block device.
allow lpdumpd block_device:dir r_dir_perms;
# Allow lpdumpd to read super partition metadata.
allow lpdumpd super_block_device_type:blk_file r_file_perms;
# Allow lpdumpd to read fstab.
allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
# Triggered when lpdumpd tries to read default fstab.
dontaudit lpdumpd metadata_file:dir r_dir_perms;
dontaudit lpdumpd metadata_file:file r_file_perms;
dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
### Neverallow rules
# Disallow other domains to get lpdump_service and call lpdumpd.
neverallow {
domain
-dumpstate
-lpdumpd
-shell
} lpdump_service:service_manager find;
neverallow {
domain
-dumpstate
-lpdumpd
-shell
} lpdumpd:binder call;

62
prebuilts/api/29.0/private/mac_permissions.xml Normal file
View file

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="utf-8"?>
<policy>
<!--
* A signature is a hex encoded X.509 certificate or a tag defined in
keys.conf and is required for each signer tag. The signature can
either appear as a set of attached cert child tags or as an attribute.
* A signer tag must contain a seinfo tag XOR multiple package stanzas.
* Each signer/package tag is allowed to contain one seinfo tag. This tag
represents additional info that each app can use in setting a SELinux security
context on the eventual process as well as the apps data directory.
* seinfo assignments are made according to the following rules:
- Stanzas with package name refinements will be checked first.
- Stanzas w/o package name refinements will be checked second.
- The "default" seinfo label is automatically applied.
* valid stanzas can take one of the following forms:
// single cert protecting seinfo
<signer signature="@PLATFORM" >
<seinfo value="platform" />
</signer>
// multiple certs protecting seinfo (all contained certs must match)
<signer>
<cert signature="@PLATFORM1"/>
<cert signature="@PLATFORM2"/>
<seinfo value="platform" />
</signer>
// single cert protecting explicitly named app
<signer signature="@PLATFORM" >
<package name="com.android.foo">
<seinfo value="bar" />
</package>
</signer>
// multiple certs protecting explicitly named app (all certs must match)
<signer>
<cert signature="@PLATFORM1"/>
<cert signature="@PLATFORM2"/>
<package name="com.android.foo">
<seinfo value="bar" />
</package>
</signer>
-->
<!-- Platform dev key in AOSP -->
<signer signature="@PLATFORM" >
<seinfo value="platform" />
</signer>
<!-- Media key in AOSP -->
<signer signature="@MEDIA" >
<seinfo value="media" />
</signer>
<signer signature="@NETWORK_STACK" >
<seinfo value="network_stack" />
</signer>
</policy>

12
prebuilts/api/29.0/private/mdnsd.te Normal file
View file

@ -0,0 +1,12 @@
# mdns daemon
typeattribute mdnsd coredomain;
typeattribute mdnsd mlstrustedsubject;
type mdnsd_exec, system_file_type, exec_type, file_type;
init_daemon_domain(mdnsd)
net_domain(mdnsd)
# Read from /proc/net
r_dir_file(mdnsd, proc_net_type)

8
prebuilts/api/29.0/private/mediadrmserver.te Normal file
View file

@ -0,0 +1,8 @@
typeattribute mediadrmserver coredomain;
init_daemon_domain(mediadrmserver)
# allocate and use graphic buffers
hal_client_domain(mediadrmserver, hal_graphics_allocator)
auditallow mediadrmserver hal_graphics_allocator_server:binder call;

7
prebuilts/api/29.0/private/mediaextractor.te Normal file
View file

@ -0,0 +1,7 @@
typeattribute mediaextractor coredomain;
init_daemon_domain(mediaextractor)
tmpfs_domain(mediaextractor)
allow mediaextractor appdomain_tmpfs:file { getattr map read write };
allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
allow mediaextractor system_server_tmpfs:file { getattr map read write };

3
prebuilts/api/29.0/private/mediametrics.te Normal file
View file

@ -0,0 +1,3 @@
typeattribute mediametrics coredomain;
init_daemon_domain(mediametrics)

46
prebuilts/api/29.0/private/mediaprovider.te Normal file
View file

@ -0,0 +1,46 @@
###
### A domain for android.process.media, which contains both
### MediaProvider and DownloadProvider and associated services.
###
typeattribute mediaprovider coredomain;
app_domain(mediaprovider)
# DownloadProvider accesses the network.
net_domain(mediaprovider)
# DownloadProvider uses /cache.
allow mediaprovider cache_file:dir create_dir_perms;
allow mediaprovider cache_file:file create_file_perms;
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow mediaprovider cache_file:lnk_file r_file_perms;
# mediaprovider searches through /cache looking for orphans
# Ignore denials to /cache/recovery and /cache/backup.
dontaudit mediaprovider cache_private_backup_file:dir getattr;
dontaudit mediaprovider cache_recovery_file:dir getattr;
# Access external sdcards through /mnt/media_rw
allow mediaprovider { mnt_media_rw_file }:dir search;
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaextractor_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
# Allow MediaProvider to read/write cached ringtones (opened by system).
allow mediaprovider ringtone_file:file { getattr read write };
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file rw_file_perms;
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;
allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };

Some files were not shown because too many files have changed in this diff Show more