Move microdroid sepolicy to system/sepolicy am: e1389977e0

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1770910

Change-Id: I656131779f02068a1e5d9b021113b81704959192

microdroid/Android.bp

@@ -0,0 +1,307 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    // http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // the below license kinds from "system_sepolicy_license":
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+system_policy_files = [
+    "system/private/security_classes",
+    "system/private/initial_sids",
+    "system/private/access_vectors",
+    "system/public/global_macros",
+    "system/public/neverallow_macros",
+    "system/private/mls_macros",
+    "system/private/mls_decl",
+    "system/private/mls",
+    "system/private/policy_capabilities",
+    "system/public/te_macros",
+    "system/public/attributes",
+    "system/private/attributes",
+    "system/public/ioctl_defines",
+    "system/public/ioctl_macros",
+    "system/public/*.te",
+    "system/private/*.te",
+    "system/private/roles_decl",
+    "system/public/roles",
+    "system/private/users",
+    "system/private/initial_sid_contexts",
+    "system/private/fs_use",
+    "system/private/genfs_contexts",
+    "system/private/port_contexts",
+]
+
+reqd_mask_files = [
+    "reqd_mask/security_classes",
+    "reqd_mask/initial_sids",
+    "reqd_mask/access_vectors",
+    "reqd_mask/mls_macros",
+    "reqd_mask/mls_decl",
+    "reqd_mask/mls",
+    "reqd_mask/reqd_mask.te",
+    "reqd_mask/roles_decl",
+    "reqd_mask/roles",
+    "reqd_mask/users",
+    "reqd_mask/initial_sid_contexts",
+]
+
+system_public_policy_files = [
+    "reqd_mask/security_classes",
+    "reqd_mask/initial_sids",
+    "reqd_mask/access_vectors",
+    "system/public/global_macros",
+    "system/public/neverallow_macros",
+    "reqd_mask/mls_macros",
+    "reqd_mask/mls_decl",
+    "reqd_mask/mls",
+    "system/public/te_macros",
+    "system/public/attributes",
+    "system/public/ioctl_defines",
+    "system/public/ioctl_macros",
+    "system/public/*.te",
+    "reqd_mask/reqd_mask.te",
+    "reqd_mask/roles_decl",
+    "reqd_mask/roles",
+    "system/public/roles",
+    "reqd_mask/users",
+    "reqd_mask/initial_sid_contexts",
+]
+
+vendor_policy_files = [
+    "reqd_mask/security_classes",
+    "reqd_mask/initial_sids",
+    "reqd_mask/access_vectors",
+    "system/public/global_macros",
+    "system/public/neverallow_macros",
+    "reqd_mask/mls_macros",
+    "reqd_mask/mls_decl",
+    "reqd_mask/mls",
+    "system/public/te_macros",
+    "system/public/attributes",
+    "system/public/ioctl_defines",
+    "system/public/ioctl_macros",
+    "system/public/*.te",
+    "reqd_mask/reqd_mask.te",
+    "vendor/*.te",
+    "reqd_mask/roles_decl",
+    "reqd_mask/roles",
+    "system/public/roles",
+    "reqd_mask/users",
+    "reqd_mask/initial_sid_contexts",
+]
+
+se_policy_conf {
+    name: "microdroid_reqd_policy_mask.conf",
+    srcs: reqd_mask_files,
+    installable: false,
+}
+
+se_policy_cil {
+    name: "microdroid_reqd_policy_mask.cil",
+    src: ":microdroid_reqd_policy_mask.conf",
+    secilc_check: false,
+    installable: false,
+}
+
+se_policy_conf {
+    name: "microdroid_plat_sepolicy.conf",
+    srcs: system_policy_files,
+    installable: false,
+}
+
+se_policy_cil {
+    name: "microdroid_plat_sepolicy.cil",
+    stem: "plat_sepolicy.cil",
+    src: ":microdroid_plat_sepolicy.conf",
+    installable: false,
+}
+
+se_policy_conf {
+    name: "microdroid_plat_pub_policy.conf",
+    srcs: system_public_policy_files,
+    installable: false,
+}
+
+se_policy_cil {
+    name: "microdroid_plat_pub_policy.cil",
+    src: ":microdroid_plat_pub_policy.conf",
+    filter_out: [":microdroid_reqd_policy_mask.cil"],
+    secilc_check: false,
+    installable: false,
+}
+
+se_versioned_policy {
+    name: "microdroid_plat_mapping_file",
+    base: ":microdroid_plat_pub_policy.cil",
+    mapping: true,
+    version: "current",
+    relative_install_path: "mapping", // install to /system/etc/selinux/mapping
+    installable: false,
+}
+
+se_versioned_policy {
+    name: "microdroid_plat_pub_versioned.cil",
+    stem: "plat_pub_versioned.cil",
+    base: ":microdroid_plat_pub_policy.cil",
+    target_policy: ":microdroid_plat_pub_policy.cil",
+    version: "current",
+    dependent_cils: [
+        ":microdroid_plat_sepolicy.cil",
+        ":microdroid_plat_mapping_file",
+    ],
+    installable: false,
+}
+
+se_policy_conf {
+    name: "microdroid_vendor_sepolicy.conf",
+    srcs: vendor_policy_files,
+    installable: false,
+}
+
+se_policy_cil {
+    name: "microdroid_vendor_sepolicy.cil.raw",
+    src: ":microdroid_vendor_sepolicy.conf",
+    filter_out: [":microdroid_reqd_policy_mask.cil"],
+    secilc_check: false, // will be done in se_versioned_policy module
+    installable: false,
+}
+
+se_versioned_policy {
+    name: "microdroid_vendor_sepolicy.cil",
+    stem: "vendor_sepolicy.cil",
+    base: ":microdroid_plat_pub_policy.cil",
+    target_policy: ":microdroid_vendor_sepolicy.cil.raw",
+    version: "current", // microdroid is bundled to system
+    dependent_cils: [
+        ":microdroid_plat_sepolicy.cil",
+        ":microdroid_plat_pub_versioned.cil",
+        ":microdroid_plat_mapping_file",
+    ],
+    filter_out: [":microdroid_plat_pub_versioned.cil"],
+    installable: false,
+}
+
+sepolicy_vers {
+    name: "microdroid_plat_sepolicy_vers.txt",
+    version: "platform",
+    stem: "plat_sepolicy_vers.txt",
+    installable: false,
+}
+
+// sepolicy sha256 for vendor
+genrule {
+    name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
+    srcs: [":microdroid_plat_sepolicy.cil", ":microdroid_plat_mapping_file"],
+    out: ["microdroid_plat_sepolicy_and_mapping.sha256"],
+    cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+    name: "microdroid_plat_sepolicy_and_mapping.sha256",
+    src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
+    filename: "plat_sepolicy_and_mapping.sha256",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+    src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
+    filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+genrule {
+    name: "microdroid_precompiled_sepolicy_gen",
+    tools: ["secilc"],
+    srcs: [
+        ":microdroid_plat_sepolicy.cil",
+        ":microdroid_plat_mapping_file",
+        ":microdroid_plat_pub_versioned.cil",
+        ":microdroid_vendor_sepolicy.cil",
+    ],
+    out: ["precompiled_sepolicy"],
+    cmd: "$(location secilc) -m -M true -G -c 30 $(in) -o $(out) -f /dev/null",
+}
+
+prebuilt_etc {
+    name: "microdroid_precompiled_sepolicy",
+    src: ":microdroid_precompiled_sepolicy_gen",
+    filename: "precompiled_sepolicy",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+genrule {
+    name: "microdroid_file_contexts.gen",
+    srcs: ["system/private/file_contexts"],
+    tools: ["fc_sort"],
+    out: ["file_contexts"],
+    cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+         "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
+
+prebuilt_etc {
+    name: "microdroid_file_contexts",
+    filename: "plat_file_contexts",
+    src: ":microdroid_file_contexts.gen",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+genrule {
+    name: "microdroid_vendor_file_contexts.gen",
+    srcs: ["vendor/file_contexts"],
+    tools: ["fc_sort"],
+    out: ["file_contexts"],
+    cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
+         "$(location fc_sort) -i $(out).tmp -o $(out)",
+}
+
+prebuilt_etc {
+    name: "microdroid_hwservice_contexts",
+    filename: "plat_hwservice_contexts",
+    src: "system/private/hwservice_contexts",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "microdroid_property_contexts",
+    filename: "plat_property_contexts",
+    src: "system/private/property_contexts",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "microdroid_service_contexts",
+    filename: "plat_service_contexts",
+    src: "system/private/service_contexts",
+    relative_install_path: "selinux",
+    installable: false,
+}
+
+prebuilt_etc {
+    name: "microdroid_keystore2_key_contexts",
+    filename: "plat_keystore2_key_contexts",
+    src: "system/private/keystore2_key_contexts",
+    relative_install_path: "selinux",
+    installable: false,
+}

microdroid/reqd_mask/access_vectors

@@ -0,0 +1,777 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	map
+	unlink
+	link
+	rename
+	execute
+	quotaon
+	mounton
+	audit_access
+	open
+	execmod
+	watch
+	watch_mount
+	watch_sb
+	watch_with_perm
+	watch_reads
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	map
+# socket-specific
+	bind
+	connect
+	listen
+	accept
+	getopt
+	setopt
+	shutdown
+	recvfrom
+	sendto
+	name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+	create
+	destroy
+	getattr
+	setattr
+	read
+	write
+	associate
+	unix_read
+	unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the cap2 common.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+common cap2
+{
+	mac_override	# unused by SELinux
+	mac_admin
+	syslog
+	wake_alarm
+	block_suspend
+	audit_read
+	perfmon
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+	mount
+	remount
+	unmount
+	getattr
+	relabelfrom
+	relabelto
+	associate
+	quotamod
+	quotaget
+	watch
+}
+
+class dir
+inherits file
+{
+	add_name
+	remove_name
+	reparent
+	search
+	rmdir
+}
+
+class file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+}
+
+class anon_inode
+inherits file
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+	use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+}
+
+class udp_socket
+inherits socket
+{
+	node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+	node_bind
+}
+
+class node
+{
+	recvfrom
+	sendto
+}
+
+class netif
+{
+	ingress
+	egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+	connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+	fork
+	transition
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
+	ptrace
+	getsched
+	setsched
+	getsession
+	getpgid
+	setpgid
+	getcap
+	setcap
+	share
+	getattr
+	setexec
+	setfscreate
+	noatsecure
+	siginh
+	setrlimit
+	rlimitinh
+	dyntransition
+	setcurrent
+	execmem
+	execstack
+	execheap
+	setkeycreate
+	setsockcreate
+	getrlimit
+}
+
+class process2
+{
+	nnp_transition
+	nosuid_transition
+}
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+	enqueue
+}
+
+class msg
+{
+	send
+	receive
+}
+
+class shm
+inherits ipc
+{
+	lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+	compute_av
+	compute_create
+	compute_member
+	check_context
+	load_policy
+	compute_relabel
+	compute_user
+	setenforce     # was avc_toggle in system class
+	setbool
+	setsecparam
+	setcheckreqprot
+	read_policy
+	validate_trans
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+	ipc_info
+	syslog_read
+	syslog_mod
+	syslog_console
+	module_request
+	module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+	nlmsg_readpriv
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+	nlmsg_relay
+	nlmsg_readpriv
+	nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+	sendto
+	recvfrom
+	setcontext
+	polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+	send
+	recv
+	relabelto
+	forward_in
+	forward_out
+}
+
+class key
+{
+	view
+	read
+	write
+	search
+	link
+	setattr
+	create
+}
+
+class dccp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+}
+
+class memprotect
+{
+	mmap_zero
+}
+
+# network peer labels
+class peer
+{
+	recv
+}
+
+class kernel_service
+{
+	use_as_override
+	create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+	attach_queue
+}
+
+class binder
+{
+	impersonate
+	call
+	set_context_mgr
+	transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+class infiniband_pkey
+{
+	access
+}
+
+class infiniband_endport
+{
+	manage_subnet
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+	association
+}
+
+class icmp_socket
+inherits socket
+{
+	node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class smc_socket
+inherits socket
+
+class bpf
+{
+	map_create
+	map_read
+	map_write
+	prog_load
+	prog_run
+}
+
+class property_service
+{
+	set
+}
+
+class service_manager
+{
+	add
+	find
+	list
+}
+
+class hwservice_manager
+{
+	add
+	find
+	list
+}
+
+class keystore_key
+{
+	get_state
+	get
+	insert
+	delete
+	exist
+	list
+	reset
+	password
+	lock
+	unlock
+	is_empty
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+	add_auth
+	user_changed
+	gen_unique_id
+}
+
+class keystore2
+{
+	add_auth
+	change_password
+	change_user
+	clear_ns
+	clear_uid
+	early_boot_ended
+	get_auth_token
+	get_state
+	list
+	lock
+	report_off_body
+	reset
+	unlock
+}
+
+class keystore2_key
+{
+	convert_storage_key_to_ephemeral
+	delete
+	gen_unique_id
+	get_info
+	grant
+	manage_blob
+	rebind
+	req_forced_op
+	update
+	use
+	use_dev_id
+}
+
+class drmservice {
+	consumeRights
+	setPlaybackStatus
+	openDecryptSession
+	closeDecryptSession
+	initializeDecryptUnit
+	decrypt
+	finalizeDecryptUnit
+	pread
+}
+
+class xdp_socket
+inherits socket
+
+class perf_event
+{
+	open
+	cpu
+	kernel
+	tracepoint
+	read
+	write
+}
+
+class lockdown
+{
+	integrity
+	confidentiality
+}

microdroid/reqd_mask/initial_sid_contexts

@@ -0,0 +1 @@
+sid reqd_mask u:r:reqd_mask_type:s0

microdroid/reqd_mask/initial_sids

@@ -0,0 +1,3 @@
+sid reqd_mask
+
+# FLASK

microdroid/reqd_mask/keys.conf

@@ -0,0 +1,2 @@
+# empty keys.conf file - used to generate an empty nonplat_mac_permissions.xml
+# on devices without any keys.conf or mac_permissions additions.

microdroid/reqd_mask/mac_permissions.xml

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+</policy>

microdroid/reqd_mask/mls

@@ -0,0 +1 @@
+mlsconstrain binder { set_context_mgr } (l1 eq l2);

microdroid/reqd_mask/mls_decl

@@ -0,0 +1,10 @@
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+gen_sens(mls_num_sens)
+gen_cats(mls_num_cats)
+
+# Generate level definitions for each sensitivity and category.
+gen_levels(mls_num_sens,mls_num_cats)

microdroid/reqd_mask/mls_macros

@@ -0,0 +1,54 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')

microdroid/reqd_mask/property_contexts

@@ -0,0 +1,3 @@
+# empty property_contexts file - this file is used to generate an empty
+# non-platform property context for devices without any property_contexts
+# customizations.

microdroid/reqd_mask/reqd_mask.te

@@ -0,0 +1 @@
+type reqd_mask_type;

microdroid/reqd_mask/roles

@@ -0,0 +1 @@
+role r types reqd_mask_type;

microdroid/reqd_mask/roles_decl

@@ -0,0 +1 @@
+role r;

microdroid/reqd_mask/seapp_contexts

@@ -0,0 +1,2 @@
+# empty seapp_contexts file - used to generate an empty seapp_contexts for
+# devices without any non-platform seapp_contexts customizations.

microdroid/reqd_mask/security_classes

@@ -0,0 +1,167 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class anon_inode
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_dnrt_socket
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class dccp_socket
+
+class memprotect
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+class smc_socket
+
+class process2
+
+class bpf
+
+class xdp_socket
+
+class perf_event
+
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
+# Property service
+class property_service          # userspace
+
+# Service manager
+class service_manager           # userspace
+
+# hardware service manager      # userspace
+class hwservice_manager
+
+# Legacy Keystore key permissions
+class keystore_key              # userspace
+
+# Keystore 2.0 permissions
+class keystore2                 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key             # userspace
+
+class drmservice                # userspace
+# FLASK

microdroid/reqd_mask/service_contexts

@@ -0,0 +1,3 @@
+# empty service_contexts file - this file is used to generate an empty
+# non-platform service_context for devices without any service_contexts
+# customizations.

microdroid/reqd_mask/users

@@ -0,0 +1 @@
+user u roles { r } level s0 range s0 - mls_systemhigh;

microdroid/system/private/access_vectors

@@ -0,0 +1,777 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	map
+	unlink
+	link
+	rename
+	execute
+	quotaon
+	mounton
+	audit_access
+	open
+	execmod
+	watch
+	watch_mount
+	watch_sb
+	watch_with_perm
+	watch_reads
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	map
+# socket-specific
+	bind
+	connect
+	listen
+	accept
+	getopt
+	setopt
+	shutdown
+	recvfrom
+	sendto
+	name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+	create
+	destroy
+	getattr
+	setattr
+	read
+	write
+	associate
+	unix_read
+	unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the cap2 common.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+common cap2
+{
+	mac_override	# unused by SELinux
+	mac_admin
+	syslog
+	wake_alarm
+	block_suspend
+	audit_read
+	perfmon
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+	mount
+	remount
+	unmount
+	getattr
+	relabelfrom
+	relabelto
+	associate
+	quotamod
+	quotaget
+	watch
+}
+
+class dir
+inherits file
+{
+	add_name
+	remove_name
+	reparent
+	search
+	rmdir
+}
+
+class file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+}
+
+class anon_inode
+inherits file
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+	use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+}
+
+class udp_socket
+inherits socket
+{
+	node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+	node_bind
+}
+
+class node
+{
+	recvfrom
+	sendto
+}
+
+class netif
+{
+	ingress
+	egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+	connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+	fork
+	transition
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
+	ptrace
+	getsched
+	setsched
+	getsession
+	getpgid
+	setpgid
+	getcap
+	setcap
+	share
+	getattr
+	setexec
+	setfscreate
+	noatsecure
+	siginh
+	setrlimit
+	rlimitinh
+	dyntransition
+	setcurrent
+	execmem
+	execstack
+	execheap
+	setkeycreate
+	setsockcreate
+	getrlimit
+}
+
+class process2
+{
+	nnp_transition
+	nosuid_transition
+}
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+	enqueue
+}
+
+class msg
+{
+	send
+	receive
+}
+
+class shm
+inherits ipc
+{
+	lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+	compute_av
+	compute_create
+	compute_member
+	check_context
+	load_policy
+	compute_relabel
+	compute_user
+	setenforce     # was avc_toggle in system class
+	setbool
+	setsecparam
+	setcheckreqprot
+	read_policy
+	validate_trans
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+	ipc_info
+	syslog_read
+	syslog_mod
+	syslog_console
+	module_request
+	module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+	nlmsg_readpriv
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+	nlmsg_relay
+	nlmsg_readpriv
+	nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+	sendto
+	recvfrom
+	setcontext
+	polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+	send
+	recv
+	relabelto
+	forward_in
+	forward_out
+}
+
+class key
+{
+	view
+	read
+	write
+	search
+	link
+	setattr
+	create
+}
+
+class dccp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+}
+
+class memprotect
+{
+	mmap_zero
+}
+
+# network peer labels
+class peer
+{
+	recv
+}
+
+class kernel_service
+{
+	use_as_override
+	create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+	attach_queue
+}
+
+class binder
+{
+	impersonate
+	call
+	set_context_mgr
+	transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+class infiniband_pkey
+{
+	access
+}
+
+class infiniband_endport
+{
+	manage_subnet
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+	association
+}
+
+class icmp_socket
+inherits socket
+{
+	node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class smc_socket
+inherits socket
+
+class bpf
+{
+	map_create
+	map_read
+	map_write
+	prog_load
+	prog_run
+}
+
+class property_service
+{
+	set
+}
+
+class service_manager
+{
+	add
+	find
+	list
+}
+
+class hwservice_manager
+{
+	add
+	find
+	list
+}
+
+class keystore_key
+{
+	get_state
+	get
+	insert
+	delete
+	exist
+	list
+	reset
+	password
+	lock
+	unlock
+	is_empty
+	sign
+	verify
+	grant
+	duplicate
+	clear_uid
+	add_auth
+	user_changed
+	gen_unique_id
+}
+
+class keystore2
+{
+	add_auth
+	change_password
+	change_user
+	clear_ns
+	clear_uid
+	early_boot_ended
+	get_auth_token
+	get_state
+	list
+	lock
+	report_off_body
+	reset
+	unlock
+}
+
+class keystore2_key
+{
+	convert_storage_key_to_ephemeral
+	delete
+	gen_unique_id
+	get_info
+	grant
+	manage_blob
+	rebind
+	req_forced_op
+	update
+	use
+	use_dev_id
+}
+
+class drmservice {
+	consumeRights
+	setPlaybackStatus
+	openDecryptSession
+	closeDecryptSession
+	initializeDecryptUnit
+	decrypt
+	finalizeDecryptUnit
+	pread
+}
+
+class xdp_socket
+inherits socket
+
+class perf_event
+{
+	open
+	cpu
+	kernel
+	tracepoint
+	read
+	write
+}
+
+class lockdown
+{
+	integrity
+	confidentiality
+}

microdroid/system/private/adbd.te

@@ -0,0 +1,44 @@
+typeattribute adbd coredomain;
+typeattribute adbd mlstrustedsubject;
+
+init_daemon_domain(adbd)
+
+domain_auto_trans(adbd, shell_exec, shell)
+
+userdebug_or_eng(`
+  allow adbd self:process setcurrent;
+  allow adbd su:process dyntransition;
+')
+
+# Do not sanitize the environment or open fds of the shell. Allow signaling
+# created processes.
+allow adbd shell:process { noatsecure signal };
+
+# Set UID and GID to shell.  Set supplementary groups.
+allow adbd self:global_capability_class_set { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:global_capability_class_set setpcap;
+
+# adbd probes for vsock support. Do not generate denials when
+# this occurs. (b/123569840)
+dontaudit adbd self:{ socket vsock_socket } create;
+
+# Allow adbd inside vm to forward vm's vsock.
+allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
+allow adbd tmpfs:dir search;
+
+allow adbd rootfs:dir r_dir_perms;
+
+# Connect to shell and use a socket transferred from it.
+# Used for e.g. abb.
+allow adbd shell:unix_stream_socket { read write shutdown };
+allow adbd shell:fd use;

microdroid/system/private/apexd.te

@@ -0,0 +1,87 @@
+typeattribute apexd coredomain;
+
+init_daemon_domain(apexd)
+
+# allow apexd to create loop devices with /dev/loop-control
+allow apexd loop_control_device:chr_file rw_file_perms;
+# allow apexd to access loop devices
+allow apexd loop_device:blk_file rw_file_perms;
+allowxperm apexd loop_device:blk_file ioctl {
+  LOOP_GET_STATUS64
+  LOOP_SET_STATUS64
+  LOOP_SET_FD
+  LOOP_SET_BLOCK_SIZE
+  LOOP_SET_DIRECT_IO
+  LOOP_CLR_FD
+  BLKFLSBUF
+  LOOP_CONFIGURE
+};
+# allow apexd to access /dev/block
+allow apexd block_device:dir r_dir_perms;
+
+#allow apexd to access virtual disks
+allow apexd vd_device:blk_file r_file_perms;
+
+# allow apexd to access /dev/block/dm-* (device-mapper entries)
+allow apexd dm_device:chr_file rw_file_perms;
+allow apexd dm_device:blk_file rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+# dac_override, chown, and fowner are needed for snapshot and restore
+allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
+
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set.  We do not appear to truly need this capability
+# for apexd to operate.
+dontaudit apexd self:global_capability_class_set fsetid;
+
+# allow apexd to create a mount point in /apex
+allow apexd apex_mnt_dir:dir create_dir_perms;
+# allow apexd to mount in /apex
+allow apexd apex_mnt_dir:filesystem { mount unmount };
+allow apexd apex_mnt_dir:dir mounton;
+# allow apexd to create symlinks in /apex
+allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
+allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
+allow apexd apex_info_file:file relabelto;
+# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
+allow apexd apex_info_file:file rw_file_perms;
+
+# Unmount and mount filesystems
+allow apexd labeledfs:filesystem { mount unmount };
+
+# /sys directory tree traversal
+allow apexd sysfs_type:dir search;
+# Configure read-ahead of dm-verity and loop devices
+# for dm-X
+allow apexd sysfs_dm:dir r_dir_perms;
+allow apexd sysfs_dm:file rw_file_perms;
+# for loopX
+allow apexd sysfs_loop:dir r_dir_perms;
+allow apexd sysfs_loop:file rw_file_perms;
+
+# Allow apexd to log to the kernel.
+allow apexd kmsg_device:chr_file w_file_perms;
+
+# Apex pre- & post-install permission.
+
+# Allow self-execute for the fork mount helper.
+allow apexd apexd_exec:file execute_no_trans;
+
+# Unshare and make / private so that hooks cannot influence the
+# running system.
+allow apexd rootfs:dir mounton;
+
+# apexd is using bootstrap bionic
+allow apexd system_bootstrap_lib_file:dir r_dir_perms;
+allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+
+# Allow apexd to read file contexts when performing restorecon
+allow apexd file_contexts_file:file r_file_perms;
+
+#-------------------------------------------
+allow apexd kmsg_device:chr_file w_file_perms;

microdroid/system/private/apkdmverity.te

@@ -0,0 +1,29 @@
+# apkdmverity is a program that protects a signed APK file using dm-verity.
+
+type apkdmverity, domain, coredomain;
+type apkdmverity_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(apkdmverity)
+
+# apkdmverity accesses "payload metadata disk" which points to
+# a /dev/vd* block device file.
+allow apkdmverity block_device:dir r_dir_perms;
+allow apkdmverity block_device:lnk_file r_file_perms;
+allow apkdmverity vd_device:blk_file r_file_perms;
+
+# allow apkdmverity to create dm-verity devices
+allow apkdmverity dm_device:{chr_file blk_file} rw_file_perms;
+# sys_admin is required to access the device-mapper and mount
+allow apkdmverity self:global_capability_class_set sys_admin;
+
+# allow apkdmverity to create loop devices with /dev/loop-control
+allow apkdmverity loop_control_device:chr_file rw_file_perms;
+
+# allow apkdmverity to access loop devices
+allow apkdmverity loop_device:blk_file rw_file_perms;
+allowxperm apkdmverity loop_device:blk_file ioctl {
+  LOOP_SET_STATUS64
+  LOOP_SET_FD
+  LOOP_SET_DIRECT_IO
+};

microdroid/system/private/attributes

@@ -0,0 +1,12 @@
+hal_attribute(lazy_test);
+
+# This is applied to apps on vendor images with SDK <=30 only,
+# to exempt them from recent mls changes. It must not be applied
+# to any domain on newer system or vendor image.
+attribute mlsvendorcompat;
+
+# Attributes for property types having both system_property_type
+# and vendor_property_type. Such types are ill-formed because
+# property owner attributes must be exclusive.
+attribute system_and_vendor_property_type;
+expandattribute system_and_vendor_property_type false;

microdroid/system/private/binderservicedomain.te

@@ -0,0 +1,5 @@
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow binderservicedomain keystore:keystore2 { get_state };
+allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
+
+use_keystore(binderservicedomain)

microdroid/system/private/bug_map

@@ -0,0 +1,35 @@
+dnsmasq netd fifo_file b/77868789
+dnsmasq netd unix_stream_socket b/77868789
+gmscore_app system_data_file dir b/146166941
+init app_data_file file b/77873135
+init cache_file blk_file b/77873135
+init logpersist file b/77873135
+init nativetest_data_file dir b/77873135
+init pstorefs dir b/77873135
+init shell_data_file dir b/77873135
+init shell_data_file file b/77873135
+init shell_data_file lnk_file b/77873135
+init shell_data_file sock_file b/77873135
+init system_data_file chr_file b/77873135
+isolated_app privapp_data_file dir b/119596573
+isolated_app app_data_file dir b/120394782
+mediaextractor app_data_file file b/77923736
+mediaextractor radio_data_file file b/77923736
+mediaprovider cache_file blk_file b/77925342
+mediaprovider mnt_media_rw_file dir b/77925342
+mediaprovider shell_data_file dir b/77925342
+mediaswcodec ashmem_device chr_file b/142679232
+netd priv_app unix_stream_socket b/77870037
+netd untrusted_app unix_stream_socket b/77870037
+netd untrusted_app_25 unix_stream_socket b/77870037
+netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
+platform_app nfc_data_file dir b/74331887
+system_server crash_dump process b/73128755
+system_server overlayfs_file file b/142390309
+system_server sdcardfs file b/77856826
+system_server zygote process b/77856826
+untrusted_app untrusted_app netlink_route_socket b/155595000
+vold system_data_file file b/124108085
+zygote untrusted_app_25 process b/77925912
+zygote labeledfs filesystem b/170748799

microdroid/system/private/crash_dump.te

@@ -0,0 +1,71 @@
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
+
+allow crash_dump kmsg_debug_device:chr_file { open append };
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Read/write IPC pipes inherited from crashing processes.
+allow crash_dump domain:fifo_file { read write };
+
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { append };
+
+# Read information from /proc/$PID.
+allow crash_dump domain:process getattr;
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read all /vendor
+r_dir_file(crash_dump, vendor_file)
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+# crash_dump writes out logcat logs at the bottom of tombstones,
+# which is super useful in some cases.
+unix_socket_connect(crash_dump, logdr, logd)
+
+# Crash dump is not intended to access the following files. Since these
+# are WAI, suppress the denials to clean up the logs.
+dontaudit crash_dump {
+  core_data_file_type
+  vendor_file_type
+}:dir search;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
+dontaudit crash_dump property_type:file read;
+
+# Suppress denials for files in /proc that are passed
+# across exec().
+dontaudit crash_dump proc_type:file rw_file_perms;
+
+typeattribute crash_dump coredomain;
+
+# Crash dump does not need to access devices passed across exec().
+dontaudit crash_dump { devpts dev_type }:chr_file { read write };
+
+allow crash_dump {
+  domain
+  -apexd
+  -crash_dump
+  -init
+  -kernel
+  -keystore
+  -logd
+  -ueventd
+  -vendor_init
+}:process { ptrace signal sigchld sigstop sigkill };
+
+userdebug_or_eng(`
+  allow crash_dump {
+    apexd
+    keystore
+    logd
+  }:process { ptrace signal sigchld sigstop sigkill };
+')

microdroid/system/private/domain.te

@@ -0,0 +1,254 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Intra-domain accesses.
+allow domain self:process {
+    fork
+    sigchld
+    sigkill
+    sigstop
+    signull
+    signal
+    getsched
+    setsched
+    getsession
+    getpgid
+    setpgid
+    getcap
+    setcap
+    getattr
+    setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net_type:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+
+# Root fs.
+allow domain tmpfs:dir { getattr search };
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
+
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
+
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
+allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
+
+allow domain property_contexts_file:file r_file_perms;
+
+dontaudit domain property_type:file audit_access;
+
+allow domain init:key search;
+
+# logd access
+unix_socket_send(domain, logdw, logd)
+
+# Directory/link file access for path resolution.
+allow domain {
+    system_file
+    system_lib_file
+    system_seccomp_policy_file
+    system_security_cacerts_file
+}:dir r_dir_perms;
+allow domain system_file:lnk_file { getattr read };
+
+# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
+allow domain system_seccomp_policy_file:file r_file_perms;
+# cacerts are accessible from public Java API.
+allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
+allow domain system_linker_exec:file { execute read open getattr map };
+allow domain system_linker_config_file:file r_file_perms;
+allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
+
+allow domain system_event_log_tags_file:file r_file_perms;
+
+allow coredomain system_file:file { execute read open getattr map };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr map };
+
+# Allow all domains to be able to follow /system/vendor and/or
+# /vendor/odm symlinks.
+allow domain vendor_file_type:lnk_file { getattr open read };
+
+# This is required to be able to search & read /vendor/lib64
+# in order to lookup vendor libraries. The execute permission
+# for coredomains is granted *only* for same process HALs
+allow domain vendor_file:dir { getattr search };
+
+# Allow reading and executing out of /vendor to all vendor domains
+allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
+allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
+# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
+allow domain sysfs_transparent_hugepage:dir search;
+allow domain sysfs_transparent_hugepage:file r_file_perms;
+
+allow coredomain system_data_file:dir getattr;
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
+allow domain system_data_root_file:dir { search getattr } ;
+allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to an allowlist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this allowlist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
+  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default allowlist for unix sockets.
+allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
+  ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# All domains must clearly enumerate what ioctls they use
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets). We start off with a safe set.
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
+
+# If a domain has ioctl access to tun_device, it must clearly enumerate the
+# ioctls used. Safe defaults are listed below.
+allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
+
+# Allow a process to make a determination whether a file descriptor
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this allowlist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
+allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
+
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
+
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir { getattr search };
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
+allow domain self:global_capability_class_set audit_control;
+allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+
+# workaround for supressing property accesses.
+# TODO: remove these
+set_prop(domain, property_type -vmsecret_keymint_prop)
+# auditallow { domain -init } property_type:property_service set;
+# auditallow { domain -init } property_type:file rw_file_perms;
+
+allow domain linkerconfig_file:dir search;
+allow domain linkerconfig_file:file r_file_perms;
+
+#-----------------------------------------
+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { domain } cgroup:dir w_dir_perms;
+allow { domain } cgroup:file w_file_perms;
+
+allow domain cgroup_v2:dir search;
+allow { domain } cgroup_v2:dir w_dir_perms;
+allow { domain } cgroup_v2:file w_file_perms;
+
+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+allow domain task_profiles_api_file:file r_file_perms;
+
+#-----------------------------------------
+# Allow access to fsverity keyring.
+allow domain kernel:key search;
+
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+# We do not apply this to the su domain to avoid interfering with
+# tests (b/114136122)
+domain_auto_trans(domain, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;

microdroid/system/private/file.te

@@ -0,0 +1,12 @@
+allow fs_type self:filesystem associate;
+allow cgroup tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow proc_net proc:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow system_data_file tmpfs:filesystem associate;

microdroid/system/private/file_contexts

@@ -0,0 +1,166 @@
+###########################################
+# Root
+/                   u:object_r:rootfs:s0
+
+# Data files
+/build\.prop        u:object_r:rootfs:s0
+/init\..*           u:object_r:rootfs:s0
+
+# Executables
+/init               u:object_r:init_exec:s0
+
+# For kernel modules
+/lib(/.*)?          u:object_r:rootfs:s0
+
+# Empty directories
+/lost\+found        u:object_r:rootfs:s0
+/debug_ramdisk      u:object_r:tmpfs:s0
+/mnt                u:object_r:tmpfs:s0
+/proc               u:object_r:rootfs:s0
+/second_stage_resources u:object_r:tmpfs:s0
+/sys                u:object_r:sysfs:s0
+/apex               u:object_r:apex_mnt_dir:s0
+
+/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
+
+# Symlinks
+/bin                u:object_r:rootfs:s0
+/d                  u:object_r:rootfs:s0
+/etc                u:object_r:rootfs:s0
+
+##########################
+# Devices
+#
+/dev(/.*)?		u:object_r:device:s0
+/dev/ashmem		u:object_r:ashmem_device:s0
+/dev/ashmem(.*)?	u:object_r:ashmem_libcutils_device:s0
+/dev/binder		u:object_r:binder_device:s0
+/dev/block(/.*)?	u:object_r:block_device:s0
+/dev/block/dm-[0-9]+	u:object_r:dm_device:s0
+/dev/block/loop[0-9]*	u:object_r:loop_device:s0
+/dev/block/vd[a-z][0-9]*  u:object_r:vd_device:s0
+/dev/block/ram[0-9]*	u:object_r:ram_device:s0
+/dev/block/zram[0-9]*	u:object_r:ram_device:s0
+/dev/console		u:object_r:console_device:s0
+/dev/dma_heap(/.*)?     u:object_r:dmabuf_heap_device:s0
+/dev/dma_heap/system    u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-uncached    u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-secure(.*)	 u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dm-user(/.*)?	u:object_r:dm_user_device:s0
+/dev/device-mapper	u:object_r:dm_device:s0
+/dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0
+/dev/cgroup_info(/.*)?  u:object_r:cgroup_rc_file:s0
+/dev/fuse		u:object_r:fuse_device:s0
+/dev/hw_random		u:object_r:hw_random_device:s0
+/dev/hwbinder		u:object_r:hwbinder_device:s0
+/dev/loop-control	u:object_r:loop_control_device:s0
+/dev/ppp		u:object_r:ppp_device:s0
+/dev/ptmx		u:object_r:ptmx_device:s0
+/dev/kmsg		u:object_r:kmsg_device:s0
+/dev/kmsg_debug	u:object_r:kmsg_debug_device:s0
+/dev/kvm		u:object_r:kvm_device:s0
+/dev/null		u:object_r:null_device:s0
+/dev/random		u:object_r:random_device:s0
+/dev/rtc[0-9]      u:object_r:rtc_device:s0
+/dev/socket(/.*)?	u:object_r:socket_device:s0
+/dev/socket/adbd	u:object_r:adbd_socket:s0
+/dev/socket/logd	u:object_r:logd_socket:s0
+/dev/socket/logdr	u:object_r:logdr_socket:s0
+/dev/socket/logdw	u:object_r:logdw_socket:s0
+/dev/socket/property_service	u:object_r:property_socket:s0
+/dev/socket/statsdw	u:object_r:statsdw_socket:s0
+/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
+/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/sys/block/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
+/dev/sys/fs/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
+/dev/tty		u:object_r:owntty_device:s0
+/dev/tty[0-9]*		u:object_r:tty_device:s0
+/dev/ttyS[0-9]*		u:object_r:serial_device:s0
+/dev/tun		u:object_r:tun_device:s0
+/dev/uhid		u:object_r:uhid_device:s0
+/dev/uinput		u:object_r:uhid_device:s0
+/dev/uio[0-9]*		u:object_r:uio_device:s0
+/dev/urandom		u:object_r:random_device:s0
+/dev/vhost-vsock	u:object_r:kvm_device:s0
+/dev/vndbinder		u:object_r:vndbinder_device:s0
+/dev/zero		u:object_r:zero_device:s0
+/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/property_info   u:object_r:property_info:s0
+#############################
+# Linker configuration
+#
+/linkerconfig(/.*)?          u:object_r:linkerconfig_file:s0
+#############################
+# System files
+#
+/system(/.*)?          u:object_r:system_file:s0
+/system/lib(64)?(/.*)?         u:object_r:system_lib_file:s0
+/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
+/system/bin/apexd                u:object_r:apexd_exec:s0
+/system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
+/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
+/system/bin/servicemanager	u:object_r:servicemanager_exec:s0
+/system/bin/hwservicemanager	u:object_r:hwservicemanager_exec:s0
+/system/bin/init		u:object_r:init_exec:s0
+/system/bin/keystore2	u:object_r:keystore_exec:s0
+/system/bin/logcat	--	u:object_r:logcat_exec:s0
+/system/bin/logd        u:object_r:logd_exec:s0
+/system/bin/run-as	--	u:object_r:runas_exec:s0
+/system/bin/sh		--	u:object_r:shell_exec:s0
+/system/bin/tombstoned u:object_r:tombstoned_exec:s0
+/system/bin/toolbox	--	u:object_r:toolbox_exec:s0
+/system/bin/toybox	--	u:object_r:toolbox_exec:s0
+/system/bin/zipfuse              u:object_r:zipfuse_exec:s0
+/system/bin/microdroid_launcher  u:object_r:microdroid_app_exec:s0
+/system/bin/microdroid_manager   u:object_r:microdroid_manager_exec:s0
+/system/bin/apkdmverity          u:object_r:apkdmverity_exec:s0
+/system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
+/system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
+/system/etc/group                       u:object_r:system_group_file:s0
+/system/etc/ld\.config.*                u:object_r:system_linker_config_file:s0
+/system/etc/passwd                      u:object_r:system_passwd_file:s0
+/system/etc/seccomp_policy(/.*)?        u:object_r:system_seccomp_policy_file:s0
+/system/etc/security/cacerts(/.*)?      u:object_r:system_security_cacerts_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil       u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_hwservice_contexts  u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_keystore2_key_contexts  u:object_r:keystore2_key_contexts_file:s0
+/system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy\.cil       u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/etc/task_profiles\.json  u:object_r:task_profiles_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json  u:object_r:task_profiles_api_file:s0
+
+#############################
+# Vendor files
+#
+/vendor(/.*)?                  u:object_r:vendor_file:s0
+/vendor/etc(/.*)?              u:object_r:vendor_configs_file:s0
+/vendor/etc/vintf(/.*)?        u:object_r:vendor_configs_file:s0
+
+#############################
+# Data files
+#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
+/data		u:object_r:system_data_root_file:s0
+/data/(.*)?		u:object_r:system_data_file:s0
+/data/local/tests(/.*)?	u:object_r:shell_test_data_file:s0
+/data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
+/data/local/traces(/.*)?	u:object_r:trace_data_file:s0
+/data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
+/data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
+/data/vendor(/.*)?              u:object_r:vendor_data_file:s0
+
+# microdroid doesn't use anr, but tombstoned tries to read this.
+# So marking /data/anr as tombstone_data_file
+/data/anr(/.*)?		u:object_r:tombstone_data_file:s0

microdroid/system/private/fs_use

@@ -0,0 +1,27 @@
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+fs_use_xattr f2fs u:object_r:labeledfs:s0;
+fs_use_xattr squashfs u:object_r:labeledfs:s0;
+fs_use_xattr overlay u:object_r:labeledfs:s0;
+fs_use_xattr erofs u:object_r:labeledfs:s0;
+fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
+fs_use_xattr virtiofs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+

microdroid/system/private/genfs_contexts

@@ -0,0 +1,378 @@
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
+genfscon proc /cmdline u:object_r:proc_cmdline:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /diskstats u:object_r:proc_diskstats:s0
+genfscon proc /filesystems u:object_r:proc_filesystems:s0
+genfscon proc /interrupts u:object_r:proc_interrupts:s0
+genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
+genfscon proc /keys u:object_r:proc_keys:s0
+genfscon proc /kmsg u:object_r:proc_kmsg:s0
+genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
+genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
+genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
+genfscon proc /mounts u:object_r:proc_mounts:s0
+genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
+genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
+genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
+genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
+genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
+genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
+genfscon proc /softirqs u:object_r:proc_timer:s0
+genfscon proc /stat u:object_r:proc_stat:s0
+genfscon proc /swaps u:object_r:proc_swaps:s0
+genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
+genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
+genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/random u:object_r:proc_random:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
+genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
+genfscon proc /timer_list u:object_r:proc_timer:s0
+genfscon proc /timer_stats u:object_r:proc_timer:s0
+genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
+genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
+genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
+genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
+genfscon proc /uptime u:object_r:proc_uptime:s0
+genfscon proc /version u:object_r:proc_version:s0
+genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+
+genfscon fusectl / u:object_r:fusectlfs:s0
+
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon sysfs /devices/cs_etm                    u:object_r:sysfs_devices_cs_etm:s0
+genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/android_usb                 u:object_r:sysfs_android_usb:s0
+genfscon sysfs /class/extcon                      u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/leds                        u:object_r:sysfs_leds:s0
+genfscon sysfs /class/net                         u:object_r:sysfs_net:s0
+genfscon sysfs /class/rfkill/rfkill0/state        u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill1/state        u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill2/state        u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rfkill/rfkill3/state        u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /class/rtc                         u:object_r:sysfs_rtc:s0
+genfscon sysfs /class/switch                      u:object_r:sysfs_switch:s0
+genfscon sysfs /class/wakeup                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/android_usb     u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/            u:object_r:sysfs_devices_block:s0
+genfscon sysfs /devices/virtual/block/dm-       u:object_r:sysfs_dm:s0
+genfscon sysfs /devices/virtual/block/loop       u:object_r:sysfs_loop:s0
+genfscon sysfs /devices/virtual/block/zram0     u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram1     u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram0/uevent    u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/block/zram1/uevent    u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/misc/hw_random    u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/net             u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/switch          u:object_r:sysfs_switch:s0
+genfscon sysfs /devices/virtual/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
+genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /fs/f2fs                           u:object_r:sysfs_fs_f2fs:s0
+genfscon sysfs /fs/incremental-fs/features        u:object_r:sysfs_fs_incfs_features:s0
+genfscon sysfs /fs/incremental-fs/instances       u:object_r:sysfs_fs_incfs_metrics:s0
+genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
+genfscon sysfs /power/state u:object_r:sysfs_power:s0
+genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
+genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
+genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
+genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
+genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
+genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
+genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
+genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
+genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
+genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
+genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
+genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
+genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
+
+genfscon debugfs /kprobes                             u:object_r:debugfs_kprobes:s0
+genfscon debugfs /mmc0                                u:object_r:debugfs_mmc:s0
+genfscon debugfs /tracing                             u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /                                    u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/tracing_on                  u:object_r:debugfs_tracing:s0
+genfscon tracefs /tracing_on                          u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /trace                               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/per_cpu/cpu                 u:object_r:debugfs_tracing:s0
+genfscon tracefs /per_cpu/cpu                         u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/instances                   u:object_r:debugfs_tracing_instances:s0
+genfscon tracefs /instances                           u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/bootreceiver      u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon tracefs /instances/bootreceiver              u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon debugfs /tracing/instances/mm_events         u:object_r:debugfs_mm_events_tracing:s0
+genfscon tracefs /instances/mm_events                 u:object_r:debugfs_mm_events_tracing:s0
+genfscon debugfs /tracing/instances/wifi              u:object_r:debugfs_wifi_tracing:s0
+genfscon tracefs /instances/wifi                      u:object_r:debugfs_wifi_tracing:s0
+genfscon debugfs /tracing/trace_marker                u:object_r:debugfs_trace_marker:s0
+genfscon tracefs /trace_marker                        u:object_r:debugfs_trace_marker:s0
+genfscon debugfs /wakeup_sources                      u:object_r:debugfs_wakeup_sources:s0
+genfscon debugfs /tracing/printk_formats              u:object_r:debugfs_tracing_printk_formats:s0
+genfscon tracefs /printk_formats                      u:object_r:debugfs_tracing_printk_formats:s0
+
+genfscon debugfs /tracing/events/header_page                         u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_iget/                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/          u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/              u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/                u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/   u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/    u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_load_inode/               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/          u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/            u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /events/header_page                         u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_get_data_block/           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_iget/                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/          u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/              u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/                u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/   u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/    u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_load_inode/               u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/          u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_issue/               u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_complete/            u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /trace_clock                                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_size_kb                                         u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/overwrite                                      u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/print-tgid                                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/record-tgid                                    u:object_r:debugfs_tracing:s0
+genfscon tracefs /saved_cmdlines_size                                    u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/                             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/                             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup_new/                         u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_waking/                             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/                        u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_exit/                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_free/                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_pi_setprio/                         u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/                                         u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_enable/                             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_disable/                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/suspend_resume/                           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/                   u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/                  u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/                      u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/                             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/                           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/                           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_alloc_buf/            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_set_priority/                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/                                u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/                                           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/                                          u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/dma_fence/                                      u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/      u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/rss_stat/                                  u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/ion_heap_grow/                             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/ion_heap_shrink/                           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ion/ion_stat/                                   u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/mm_event/mm_event_record/                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/oom_score_adj_update/                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/mark_victim/                                u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/task/task_rename/                               u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/task/task_newtask/                              u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ftrace/print/                                   u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/gpu_mem/gpu_mem_total                           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/thermal_temperature/                    u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/cdev_update/                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_enter/                              u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_exit/                               u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_pause/                              u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ipi/                                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/irq/                                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_enable/                                 u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_disable/                                u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_set_rate/                               u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/trace_clock                                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/buffer_size_kb                                         u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/overwrite                                      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/print-tgid                                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/record-tgid                                    u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/saved_cmdlines_size                                    u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/                             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/                             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup_new/                         u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_waking/                             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/                        u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_free/                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_pi_setprio/                         u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/                                         u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_enable/                             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_disable/                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/suspend_resume/                           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/                   u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/                  u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/                      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/                             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/                           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/                           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_set_priority/                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/                                u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/                                           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/                                          u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/dma_fence/                                      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/rss_stat/                                          u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_grow/                                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_shrink/                                   u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ion/ion_stat/                                           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/mm_event/mm_event_record/                               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/oom_score_adj_update/                               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/mark_victim/                                        u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_rename/                                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_newtask/                                      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ftrace/print/                                   u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total                           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/thermal_temperature/                    u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/cdev_update/                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/                              u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/                               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ipi/                                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/irq/                                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_enable/                                 u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_disable/                                u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_set_rate/                               u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /kcov								 u:object_r:debugfs_kcov:s0
+
+genfscon securityfs / u:object_r:securityfs:s0
+
+genfscon binder /binder u:object_r:binder_device:s0
+genfscon binder /hwbinder u:object_r:hwbinder_device:s0
+genfscon binder /vndbinder u:object_r:vndbinder_device:s0
+genfscon binder /binder_logs u:object_r:binderfs_logs:s0
+genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:vfat:s0
+genfscon binder / u:object_r:binderfs:s0
+genfscon exfat / u:object_r:exfat:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
+genfscon esdfs / u:object_r:sdcardfs:s0
+genfscon pstore / u:object_r:pstorefs:s0
+genfscon functionfs / u:object_r:functionfs:s0
+genfscon usbfs / u:object_r:usbfs:s0
+genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0

microdroid/system/private/halclientdomain.te

@@ -0,0 +1,10 @@
+###
+### Rules for all domains which are clients of a HAL
+###
+
+# Find out whether a HAL in passthrough/in-process mode or
+# binderized/out-of-process mode
+hwbinder_use(halclientdomain)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;

microdroid/system/private/hwservice_contexts

@@ -0,0 +1,7 @@
+android.hardware.keymaster::IKeymasterDevice                    u:object_r:hal_keymaster_hwservice:s0
+android.hidl.allocator::IAllocator                              u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase                                        u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager                           u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper                                    u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager                               u:object_r:hidl_token_hwservice:s0
+*                                                               u:object_r:default_android_hwservice:s0

microdroid/system/private/hwservicemanager.te

@@ -0,0 +1,25 @@
+typeattribute hwservicemanager coredomain;
+
+init_daemon_domain(hwservicemanager)
+
+allow hwservicemanager vendor_configs_file:file { open getattr };
+
+# Note that we do not use the binder_* macros here.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
+allow hwservicemanager self:binder set_context_mgr;
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)

microdroid/system/private/init.te

@@ -0,0 +1,446 @@
+typeattribute init coredomain;
+
+tmpfs_domain(init)
+
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, vendor_init)
+
+# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
+# This is useful in case of remounting ext4 userdata into checkpointing mode,
+# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
+# that userdata is mounted onto.
+allow init sysfs_dm:file read;
+
+# Second-stage init performs a test for whether the kernel has SELinux hooks
+# for the perf_event_open() syscall. This is done by testing for the syscall
+# outcomes corresponding to this policy.
+allow init self:perf_event { open cpu };
+allow init self:global_capability2_class_set perfmon;
+dontaudit init self:perf_event { kernel tracepoint read write };
+
+# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
+# /dev/block.
+allow init vd_device:blk_file relabelto;
+
+# chown/chmod on devices.
+allow init {
+  dev_type
+  -hw_random_device
+  -kvm_device
+}:chr_file setattr;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
+
+# /dev/__properties__
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
+# /dev/__properties__/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
+# /dev/socket
+allow init { device socket_device dm_user_device }:dir relabelto;
+# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
+allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+
+# setrlimit
+allow init self:global_capability_class_set sys_resource;
+
+# Remove /dev/.booting and load /debug_ramdisk/* files
+allow init tmpfs:file { getattr unlink };
+
+# Access pty created for fsck.
+allow init devpts:chr_file { read write open };
+
+# Access /dev/__null__ node created prior to initial policy load.
+allow init tmpfs:chr_file write;
+
+# Access /dev/console.
+allow init console_device:chr_file rw_file_perms;
+
+# Access /dev/tty0.
+allow init tty_device:chr_file rw_file_perms;
+
+# Call mount(2).
+allow init self:global_capability_class_set sys_admin;
+
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
+# Create and mount on directories in /.
+allow init rootfs:dir create_dir_perms;
+allow init {
+    rootfs
+    cgroup
+    linkerconfig_file
+    system_data_file
+    system_data_root_file
+    system_file
+    vendor_file
+}:dir mounton;
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
+
+# Mount on /dev/usb-ffs/adb.
+allow init device:dir mounton;
+
+# Mount tmpfs on /apex
+allow init apex_mnt_dir:dir mounton;
+
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
+
+# Mount debugfs on /sys/kernel/debug.
+allow init sysfs:dir mounton;
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow init tmpfs:dir create_dir_perms;
+allow init tmpfs:dir mounton;
+allow init cgroup:dir create_dir_perms;
+allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
+
+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow init self:global_capability_class_set { dac_override dac_read_search };
+
+allow init self:global_capability_class_set { sys_rawio mknod };
+
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
+
+# Mounting filesystems.
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init {
+  fs_type
+}:filesystem ~relabelto;
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
+
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow init self:global_capability_class_set { chown fowner fsetid };
+
+allow init {
+  file_type
+  -exec_type
+  -system_file_type
+  -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+  file_type
+  -exec_type
+  -keystore_data_file
+  -shell_data_file
+  -system_file_type
+  -vendor_file_type
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+  file_type
+  -apex_info_file
+  -exec_type
+  -keystore_data_file
+  -runtime_event_log_tags_file
+  -shell_data_file
+  -system_file_type
+  -vendor_file_type
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
+allow init {
+  file_type
+  -exec_type
+  -keystore_data_file
+  -shell_data_file
+  -system_file_type
+  -vendor_file_type
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+  file_type
+  -apex_mnt_dir
+  -exec_type
+  -keystore_data_file
+  -shell_data_file
+  -system_file_type
+  -vendor_file_type
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init {
+  file_type
+  -system_file_type
+  -vendor_file_type
+  -exec_type
+}:dir_file_class_set relabelto;
+
+allow init { sysfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init dev_type:dir create_dir_perms;
+allow init dev_type:lnk_file create;
+
+# chown/chmod on pseudo files.
+allow init {
+  fs_type
+  -contextmount_type
+  -proc_type
+  -fusefs_type
+  -sysfs_type
+  -rootfs
+}:file { open read setattr };
+allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir  { open read setattr search };
+
+allow init {
+  binder_device
+  console_device
+  devpts
+  dm_device
+  hwbinder_device
+  kmsg_device
+  null_device
+  owntty_device
+  ptmx_device
+  random_device
+  tty_device
+  zero_device
+}:chr_file { read open };
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
+allow init kernel:system syslog_mod;
+allow init self:global_capability2_class_set syslog;
+
+# init access to /proc.
+r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
+
+allow init {
+  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+  proc_bootconfig
+  proc_cmdline
+  proc_diskstats
+  proc_kmsg # Open /proc/kmsg for logd service.
+  proc_meminfo
+  proc_stat # Read /proc/stat for bootchart.
+  proc_uptime
+  proc_version
+}:file r_file_perms;
+
+allow init {
+  proc_abi
+  proc_dirty
+  proc_hostname
+  proc_hung_task
+  proc_extra_free_kbytes
+  proc_net_type
+  proc_max_map_count
+  proc_min_free_order_shift
+  proc_overcommit_memory      # /proc/sys/vm/overcommit_memory
+  proc_panic
+  proc_page_cluster
+  proc_perf
+  proc_sched
+  proc_sysrq
+}:file w_file_perms;
+
+allow init {
+  proc_security
+}:file rw_file_perms;
+
+# init chmod/chown access to /proc files.
+allow init {
+  proc_cmdline
+  proc_bootconfig
+  proc_kmsg
+  proc_net
+  proc_pagetypeinfo
+  proc_qtaguid_stat
+  proc_slabinfo
+  proc_sysrq
+  proc_qtaguid_ctrl
+  proc_vmallocinfo
+}:file setattr;
+
+# init access to /sys files.
+allow init {
+  sysfs_android_usb
+  sysfs_dm_verity
+  sysfs_leds
+  sysfs_power
+  sysfs_fs_f2fs
+  sysfs_dm
+}:file w_file_perms;
+
+allow init {
+  sysfs_dt_firmware_android
+  sysfs_fs_ext4_features
+}:file r_file_perms;
+
+allow init {
+  sysfs_zram
+}:file rw_file_perms;
+
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+  LOOP_SET_FD
+  LOOP_CLR_FD
+  LOOP_CTL_GET_FREE
+  LOOP_SET_BLOCK_SIZE
+  LOOP_SET_DIRECT_IO
+  LOOP_GET_STATUS
+};
+
+# init chmod/chown access to /sys files.
+allow init {
+  sysfs_android_usb
+  sysfs_devices_system_cpu
+  sysfs_ipv4
+  sysfs_leds
+  sysfs_lowmemorykiller
+  sysfs_power
+  sysfs_vibrator
+  sysfs_wake_lock
+  sysfs_zram
+}:file setattr;
+
+allow init self:global_capability_class_set net_admin;
+
+# Reboot.
+allow init self:global_capability_class_set sys_boot;
+
+# Support "adb shell stop"
+allow init self:global_capability_class_set kill;
+allow init domain:process { getpgid sigkill signal };
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
+
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:global_capability_class_set { setuid setgid setpcap };
+
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
+
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
+# Perform SELinux access checks on setting properties.
+selinux_check_access(init)
+
+# Ask the kernel for the new context on services to label their sockets.
+allow init kernel:security compute_create;
+
+# Create sockets for the services.
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
+
+# Set any property.
+allow init property_type:property_service set;
+
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:global_capability_class_set audit_write;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
+allow init self:global_capability_class_set net_raw;
+
+# Set scheduling info for psi monitor thread.
+# TODO: delete or revise this line b/131761776
+allow init kernel:process { getsched setsched };
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done, /dev/.booting
+# TODO:  Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+
+# Access device mapper for setting up dm-verity
+allow init dm_device:chr_file rw_file_perms;
+allow init dm_device:blk_file rw_file_perms;
+
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# Allow init to touch PSI monitors
+allow init proc_pressure_mem:file { rw_file_perms setattr };
+
+# init is using bootstrap bionic
+allow init system_bootstrap_lib_file:dir r_dir_perms;
+allow init system_bootstrap_lib_file:file { execute read open getattr map };
+
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
+set_prop(init, property_type)

microdroid/system/private/initial_sid_contexts

@@ -0,0 +1,27 @@
+sid kernel u:r:kernel:s0
+sid security u:object_r:kernel:s0
+sid unlabeled u:object_r:unlabeled:s0
+sid fs u:object_r:labeledfs:s0
+sid file u:object_r:unlabeled:s0
+sid file_labels u:object_r:unlabeled:s0
+sid init u:object_r:unlabeled:s0
+sid any_socket u:object_r:unlabeled:s0
+sid port u:object_r:port:s0
+sid netif u:object_r:netif:s0
+sid netmsg u:object_r:unlabeled:s0
+sid node u:object_r:node:s0
+sid igmp_packet u:object_r:unlabeled:s0
+sid icmp_socket u:object_r:unlabeled:s0
+sid tcp_socket u:object_r:unlabeled:s0
+sid sysctl_modprobe u:object_r:unlabeled:s0
+sid sysctl u:object_r:proc:s0
+sid sysctl_fs u:object_r:unlabeled:s0
+sid sysctl_kernel u:object_r:unlabeled:s0
+sid sysctl_net u:object_r:unlabeled:s0
+sid sysctl_net_unix u:object_r:unlabeled:s0
+sid sysctl_vm u:object_r:unlabeled:s0
+sid sysctl_dev u:object_r:unlabeled:s0
+sid kmod u:object_r:unlabeled:s0
+sid policy u:object_r:unlabeled:s0
+sid scmp_packet u:object_r:unlabeled:s0
+sid devnull u:object_r:null_device:s0

microdroid/system/private/initial_sids

@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK

microdroid/system/private/kernel.te

@@ -0,0 +1,83 @@
+typeattribute kernel coredomain;
+
+domain_auto_trans(kernel, init_exec, init)
+
+# The following sections are for the transition period during a Virtual A/B
+# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
+# context, and with properly labelled devices. This must be done before
+# enabling enforcement, eg, in permissive mode while still in the kernel
+# context.
+allow kernel tmpfs:blk_file { getattr relabelfrom };
+allow kernel tmpfs:chr_file { getattr relabelfrom };
+allow kernel tmpfs:lnk_file { getattr relabelfrom };
+allow kernel tmpfs:dir { open read relabelfrom };
+
+allow kernel block_device:blk_file relabelto;
+allow kernel block_device:lnk_file relabelto;
+allow kernel dm_device:chr_file relabelto;
+allow kernel dm_device:blk_file relabelto;
+allow kernel dm_user_device:dir { read open search relabelto };
+allow kernel dm_user_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file relabelto;
+allow kernel null_device:chr_file relabelto;
+allow kernel random_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file write;
+allow kernel vd_device:blk_file read;
+
+allow kernel self:global_capability_class_set sys_nice;
+
+# Root fs.
+r_dir_file(kernel, rootfs)
+
+# Used to read androidboot.selinux property
+allow kernel {
+  proc_bootconfig
+  proc_cmdline
+}:file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
+
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
+# Initial setenforce by init prior to switching to init domain.
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
+
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:global_capability_class_set sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/kmsg which was created prior to loading policy.
+allow kernel tmpfs:chr_file write;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel selinuxfs:file write;
+allow kernel self:security setcheckreqprot;
+
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel { sdcard_type fuse }:file { read write };
+
+# Allow the kernel to read APEX file descriptors and (staged) data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+
+#-----------------------------------------
+allow kernel apkdmverity:fd use;

microdroid/system/private/keys.conf

@@ -0,0 +1,28 @@
+#
+# Maps an arbitrary tag [TAGNAME] with the string contents found in
+# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
+# name it after the base file name of the pem file.
+#
+# Each tag (section) then allows one to specify any string found in
+# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
+# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
+#
+
+[@PLATFORM]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
+
+[@MEDIA]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
+
+[@NETWORK_STACK]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
+
+[@SHARED]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
+
+# Example of ALL TARGET_BUILD_VARIANTS
+[@RELEASE]
+ENG       : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USER      : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+

microdroid/system/private/keystore.te

@@ -0,0 +1,15 @@
+typeattribute keystore coredomain;
+
+init_daemon_domain(keystore)
+
+# talk to keymint
+hal_client_domain(keystore, hal_keymint)
+
+# Allow keystore to write to statsd.
+unix_socket_send(keystore, statsdw, statsd)
+
+# Keystore need access to the keystore_key context files to load the keystore key backend.
+allow keystore keystore2_key_contexts_file:file r_file_perms;
+
+# microdroid doesn't use keymaster HAL
+dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;

microdroid/system/private/keystore2_key_contexts

@@ -0,0 +1,11 @@
+# Keystore 2.0 key contexts.
+# This file defines Keystore 2.0 namespaces and maps them to labels.
+# Format:
+# <namespace> <label>
+#
+# <namespace> must be an integer in the interval [0 ...  2^31)
+
+# vm_payload_key is a keystore2_key namespace intended for microdroid VM payloads.
+# TODO(b/191843770): sort out a longer term policy
+140            u:object_r:vm_payload_key:s0
+

microdroid/system/private/linkerconfig.te

@@ -0,0 +1,21 @@
+type linkerconfig, domain, coredomain;
+type linkerconfig_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(linkerconfig)
+
+## Read and write linkerconfig subdirectory.
+allow linkerconfig linkerconfig_file:dir create_dir_perms;
+allow linkerconfig linkerconfig_file:file create_file_perms;
+
+# Allow linkerconfig to log to the kernel.
+allow linkerconfig kmsg_device:chr_file w_file_perms;
+
+# Allow linkerconfig to be invoked with logwrapper from init.
+allow linkerconfig devpts:chr_file { read write };
+
+# Allow linkerconfig to scan for apex modules
+allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+
+# Allow linkerconfig to read apex-info-list.xml
+allow linkerconfig apex_info_file:file r_file_perms;
+

microdroid/system/private/logd.te

@@ -0,0 +1,43 @@
+typeattribute logd coredomain;
+
+init_daemon_domain(logd)
+
+allow logd adbd:dir search;
+allow logd adbd:file { getattr open read };
+allow logd device:dir search;
+allow logd hwservicemanager:dir search;
+allow logd hwservicemanager:file { open read };
+allow logd init:dir search;
+allow logd init:fd use;
+allow logd init:file { getattr open read };
+allow logd kernel:dir search;
+allow logd kernel:file { getattr open read };
+allow logd kernel:system { syslog_mod syslog_read };
+allow logd keystore:dir search;
+allow logd keystore:file { getattr open read };
+allow logd linkerconfig_file:dir search;
+allow logd microdroid_manager:dir search;
+allow logd microdroid_manager:file { getattr open read };
+allow logd null_device:chr_file { open read };
+#allow logd proc_kmsg:file read;
+r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
+r_dir_file(logd, proc_kmsg)
+r_dir_file(logd, proc_meminfo)
+allow logd self:fifo_file { read write };
+allow logd self:file { getattr open read };
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
+#allow logd self:netlink_audit_socket getopt;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kmsg_device:chr_file { getattr w_file_perms };
+r_dir_file(logd, domain)
+allow logd self:unix_stream_socket { accept getopt setopt shutdown };
+allow logd servicemanager:dir search;
+allow logd servicemanager:file { open read };
+allow logd tombstoned:dir search;
+allow logd tombstoned:file { getattr open read };
+allow logd ueventd:dir search;
+allow logd ueventd:file { getattr open read };
+control_logd(logd)
+read_runtime_log_tags(logd)

microdroid/system/private/mac_permissions.xml

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag. The signature can
+      either appear as a set of attached cert child tags or as an attribute.
+    * A signer tag must contain a seinfo tag XOR multiple package stanzas.
+    * Each signer/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process as well as the apps data directory.
+    * seinfo assignments are made according to the following rules:
+      - Stanzas with package name refinements will be checked first.
+      - Stanzas w/o package name refinements will be checked second.
+      - The "default" seinfo label is automatically applied.
+
+    * valid stanzas can take one of the following forms:
+
+     // single cert protecting seinfo
+     <signer signature="@PLATFORM" >
+       <seinfo value="platform" />
+     </signer>
+
+     // multiple certs protecting seinfo (all contained certs must match)
+     <signer>
+       <cert signature="@PLATFORM1"/>
+       <cert signature="@PLATFORM2"/>
+       <seinfo value="platform" />
+     </signer>
+
+     // single cert protecting explicitly named app
+     <signer signature="@PLATFORM" >
+       <package name="com.android.foo">
+         <seinfo value="bar" />
+       </package>
+     </signer>
+
+     // multiple certs protecting explicitly named app (all certs must match)
+     <signer>
+       <cert signature="@PLATFORM1"/>
+       <cert signature="@PLATFORM2"/>
+       <package name="com.android.foo">
+         <seinfo value="bar" />
+       </package>
+     </signer>
+-->
+
+    <!-- Platform dev key in AOSP -->
+    <signer signature="@PLATFORM" >
+      <seinfo value="platform" />
+    </signer>
+
+    <!-- Media key in AOSP -->
+    <signer signature="@MEDIA" >
+      <seinfo value="media" />
+    </signer>
+
+    <signer signature="@NETWORK_STACK" >
+      <seinfo value="network_stack" />
+    </signer>
+</policy>

microdroid/system/private/microdroid_app.te

@@ -0,0 +1,51 @@
+# microdroid_app is a domain for microdroid_launcher, which is a binary that
+# loads a shared library from an apk and executes it by calling an entry point
+# in the library. This can be considered as the native counterpart of
+# app_process for Java.
+#
+# Both microdroid_launcher and payload from the shared library run in the
+# context of microdroid_app.
+
+type microdroid_app, domain, coredomain;
+type microdroid_app_exec, exec_type, file_type, system_file_type;
+
+# Allow to communicate use, read and write over the adb connection.
+allow microdroid_app adbd:fd use;
+allow microdroid_app adbd:unix_stream_socket { read write };
+
+# microdroid_launcher is launched by microdroid_manager with fork/execvp.
+allow microdroid_app microdroid_manager:fd use;
+
+# Allow to use FDs inherited from the shell. This includes the FD opened for
+# the microdroid_launcher executable itself and the FD for adb connection.
+# TODO(b/186396070) remove this when this is executed from microdroid_manager
+userdebug_or_eng(`
+  allow microdroid_app shell:fd use;
+')
+
+# Allow to use terminal
+allow microdroid_app devpts:chr_file rw_file_perms;
+
+# Allow to set debug prop
+set_prop(microdroid_app, debug_prop)
+
+# Talk to binder services (for keystore)
+binder_use(microdroid_app);
+
+# Allow payloads to use keystore
+use_keystore(microdroid_app);
+
+# Allow payloads to use and manage their keys
+allow microdroid_app vm_payload_key:keystore2_key {
+    delete
+    get_info
+    manage_blob
+    rebind
+    use
+};
+
+# Allow microdroid_app to use vsock inherited from microdroid_manager
+allow microdroid_app microdroid_manager:vsock_socket { read write };
+
+# Write to /dev/kmsg.
+allow microdroid_app kmsg_device:chr_file rw_file_perms;

microdroid/system/private/microdroid_manager.te

@@ -0,0 +1,37 @@
+# microdroid_manager is a daemon running in the microdroid.
+
+type microdroid_manager, domain, coredomain;
+type microdroid_manager_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(microdroid_manager)
+
+# microdroid_manager accesses a virtual disk block device to read VM payload
+allow microdroid_manager block_device:dir r_dir_perms;
+allow microdroid_manager block_device:lnk_file r_file_perms;
+allow microdroid_manager vd_device:blk_file r_file_perms;
+
+# microdroid_manager start payload task via microdroid_launcher
+domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app);
+
+# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
+# TODO(b/189706019) we need to a domain for the app process.
+allow microdroid_manager system_file:file execute_no_trans;
+# Until then, allow microdroid_manager to execute the shell or other system executables.
+allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
+
+# Let microdroid_manager kernel-log.
+allow microdroid_manager kmsg_device:chr_file w_file_perms;
+
+# Let microdroid_manager initialize the derived VM secrets.
+set_prop(microdroid_manager, vmsecret_keymint_prop);
+
+# Let microdroid_manager read a config file from /mnt/apk (fusefs)
+# TODO(b/188400186) remove the below two rules
+userdebug_or_eng(`
+  allow microdroid_manager fuse:dir r_dir_perms;
+  allow microdroid_manager fuse:file rx_file_perms;
+')
+
+# Let microdroid_manager to create a vsock connection back to the host VM
+allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };

microdroid/system/private/mls

@@ -0,0 +1,89 @@
+#################################################
+# MLS policy constraints
+#
+
+#
+# Process constraints
+#
+
+# Process transition:  Require equivalence unless the subject is trusted.
+mlsconstrain process { transition dyntransition }
+	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Process read operations: No read up unless trusted.
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+	     (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Process write operations:  Require equivalence unless trusted.
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
+	     (l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Socket constraints
+#
+
+# Create/relabel operations:  Subject must be equivalent to object unless
+# the subject is trusted.  Sockets inherit the range of their creator.
+mlsconstrain socket_class_set { create relabelfrom relabelto }
+	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Datagram send: Sender must be equivalent to the receiver unless one of them
+# is trusted.
+mlsconstrain unix_dgram_socket { sendto }
+	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+# Stream connect:  Client must be equivalent to server unless one of them
+# is trusted.
+mlsconstrain unix_stream_socket { connectto }
+	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+#
+# Directory/file constraints
+#
+
+# Create/relabel operations:  Subject must be equivalent to object unless
+# the subject is trusted. Also, files should always be single-level.
+# Do NOT exempt mlstrustedobject types from this constraint.
+mlsconstrain dir_file_class_set { create relabelfrom relabelto }
+	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+#
+# Constraints for file types other than app data files.
+#
+
+# Read operations: Subject must dominate object unless the subject
+# or the object is trusted.
+mlsconstrain dir { read getattr search }
+	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
+	     or (t1 == mlsvendorcompat and t2 == system_data_file) );
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Write operations: Subject must be equivalent to the object unless the
+# subject or the object is trusted.
+mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
+	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
+	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Special case for FIFOs.
+# These can be unnamed pipes, in which case they will be labeled with the
+# creating process' label. Thus we also have an exemption when the "object"
+# is a domain type, so that processes can communicate via unnamed pipes
+# passed by binder or local socket IPC.
+mlsconstrain fifo_file { read getattr }
+	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+mlsconstrain fifo_file { write setattr append unlink link rename }
+	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+#
+# Binder IPC constraints
+#
+# Presently commented out, as apps are expected to call one another.
+# This would only make sense if apps were assigned categories
+# based on allowable communications rather than per-app categories.
+#mlsconstrain binder call
+#	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);

microdroid/system/private/mls_decl

@@ -0,0 +1,10 @@
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+gen_sens(mls_num_sens)
+gen_cats(mls_num_cats)
+
+# Generate level definitions for each sensitivity and category.
+gen_levels(mls_num_sens,mls_num_cats)

microdroid/system/private/mls_macros

@@ -0,0 +1,54 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')

microdroid/system/private/net.te

@@ -0,0 +1,16 @@
+## Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+###
+### Domain with network access
+###
+
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+allow netdomain port_type:tcp_socket name_connect;
+allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow netdomain port_type:udp_socket name_bind;
+allow netdomain port_type:tcp_socket name_bind;

microdroid/system/private/policy_capabilities

@@ -0,0 +1,20 @@
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;
+
+# Enable separate security classes for
+# all network address families previously
+# mapped to the socket class and for
+# ICMP and SCTP sockets previously mapped
+# to the rawip_socket class.
+policycap extended_socket_class;
+
+# Enable NoNewPrivileges support.  Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;

microdroid/system/private/port_contexts

@@ -0,0 +1 @@
+# This file can't be empty, but is unused on microdroid

microdroid/system/private/property.te

@@ -0,0 +1,16 @@
+###
+### Neverallow rules
+###
+
+neverallow {
+  domain
+  -init
+  -microdroid_manager
+} vmsecret_keymint_prop:property_service set;
+
+neverallow {
+  domain
+  -init
+  -microdroid_manager
+  -hal_keymint_server
+} vmsecret_keymint_prop:file no_rw_file_perms;

microdroid/system/private/property_contexts

@@ -0,0 +1,97 @@
+# property contexts for microdroid
+# microdroid only uses much fewer properties than normal Android, so every property is listed here.
+# The only exceptions are "debug.", "init.svc_debug_pid.", and "ctl." properties.
+
+debug. u:object_r:debug_prop:s0 prefix
+
+init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0 prefix int
+
+ctl.sigstop_on$         u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$        u:object_r:ctl_sigstop_prop:s0
+ctl.start$              u:object_r:ctl_start_prop:s0
+ctl.stop$               u:object_r:ctl_stop_prop:s0
+ctl.restart$            u:object_r:ctl_restart_prop:s0
+ctl.interface_start$    u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$     u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$  u:object_r:ctl_interface_restart_prop:s0
+
+ctl.start$adbd   u:object_r:ctl_adbd_prop:s0
+ctl.stop$adbd    u:object_r:ctl_adbd_prop:s0
+ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
+
+ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+
+ctl.fuse_   u:object_r:ctl_fuse_prop:s0
+ctl.console u:object_r:ctl_console_prop:s0
+ctl.        u:object_r:ctl_default_prop:s0
+
+sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 exact bool
+
+service.adb.root u:object_r:shell_prop:s0 exact bool
+
+ro.logd.kernel u:object_r:logd_prop:s0 exact bool
+
+ro.boottime.adbd                      u:object_r:boottime_prop:s0 exact int
+ro.boottime.hwservicemanager          u:object_r:boottime_prop:s0 exact int
+ro.boottime.init                      u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.cold_boot_wait       u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.first_stage          u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.modules              u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.selinux              u:object_r:boottime_prop:s0 exact int
+ro.boottime.keystore2                 u:object_r:boottime_prop:s0 exact int
+ro.boottime.logd                      u:object_r:boottime_prop:s0 exact int
+ro.boottime.logd-reinit               u:object_r:boottime_prop:s0 exact int
+ro.boottime.microdroid_manager        u:object_r:boottime_prop:s0 exact int
+ro.boottime.servicemanager            u:object_r:boottime_prop:s0 exact int
+ro.boottime.tombstoned                u:object_r:boottime_prop:s0 exact int
+ro.boottime.ueventd                   u:object_r:boottime_prop:s0 exact int
+ro.boottime.vendor.keymint-microdroid u:object_r:boottime_prop:s0 exact int
+ro.boottime.zipfuse                   u:object_r:boottime_prop:s0 exact int
+
+ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
+
+ro.vmsecret.keymint u:object_r:vmsecret_keymint_prop:s0 exact string
+
+hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
+
+apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+
+ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
+
+sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+
+init.svc.hwservicemanager          u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.keystore2                 u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd                      u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd-reinit               u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.microdroid_manager        u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.servicemanager            u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.ueventd                   u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.zipfuse                   u:object_r:init_service_status_private_prop:s0 exact string
+
+init.svc.adbd       u:object_r:init_service_status_prop:s0 exact string
+init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
+
+init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
+
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.baseband      u:object_r:bootloader_prop:s0 exact string
+ro.bootloader    u:object_r:bootloader_prop:s0 exact string
+ro.bootmode      u:object_r:bootloader_prop:s0 exact string
+ro.hardware      u:object_r:bootloader_prop:s0 exact string
+ro.revision      u:object_r:bootloader_prop:s0 exact string
+
+ro.build.id                     u:object_r:build_prop:s0 exact string
+ro.build.version.release        u:object_r:build_prop:s0 exact string
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.debuggable                   u:object_r:build_prop:s0 exact bool
+ro.product.cpu.abilist          u:object_r:build_prop:s0 exact string
+ro.adb.secure                   u:object_r:build_prop:s0 exact bool
+
+ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
+
+ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+
+ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
+
+keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int

microdroid/system/private/roles_decl

@@ -0,0 +1 @@
+role r;

microdroid/system/private/seapp_contexts

@@ -0,0 +1 @@
+# This file can't be empty, but is unused on microdroid

microdroid/system/private/security_classes

@@ -0,0 +1,167 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class anon_inode
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_dnrt_socket
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class dccp_socket
+
+class memprotect
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+class smc_socket
+
+class process2
+
+class bpf
+
+class xdp_socket
+
+class perf_event
+
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
+# Property service
+class property_service          # userspace
+
+# Service manager
+class service_manager           # userspace
+
+# hardware service manager      # userspace
+class hwservice_manager
+
+# Legacy Keystore key permissions
+class keystore_key              # userspace
+
+# Keystore 2.0 permissions
+class keystore2                 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key             # userspace
+
+class drmservice                # userspace
+# FLASK

microdroid/system/private/service_contexts

@@ -0,0 +1,18 @@
+android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:hal_keymint_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.secureclock.ISecureClock/default             u:object_r:hal_secureclock_service:s0
+android.hardware.security.sharedsecret.ISharedSecret/default             u:object_r:hal_sharedsecret_service:s0
+android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
+
+adb                                       u:object_r:adb_service:s0
+android.security.apc                      u:object_r:apc_service:s0
+android.security.authorization            u:object_r:authorization_service:s0
+android.security.compat                   u:object_r:keystore_compat_hal_service:s0
+android.security.identity                 u:object_r:credstore_service:s0
+android.security.keystore                 u:object_r:keystore_service:s0
+android.security.legacykeystore           u:object_r:legacykeystore_service:s0
+android.security.maintenance              u:object_r:keystore_maintenance_service:s0
+android.security.metrics                  u:object_r:keystore_metrics_service:s0
+android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
+apexservice                               u:object_r:apex_service:s0
+*                                         u:object_r:default_android_service:s0

microdroid/system/private/servicemanager.te

@@ -0,0 +1,23 @@
+typeattribute servicemanager coredomain;
+
+init_daemon_domain(servicemanager)
+
+selinux_check_access(servicemanager)
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains.  It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+  domain
+  -init
+  -vendor_init
+  -hwservicemanager
+}:binder transfer;
+
+allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;

microdroid/system/private/shell.te

@@ -0,0 +1,31 @@
+typeattribute shell coredomain, mlstrustedsubject;
+
+# allow shell input injection
+allow shell uhid_device:chr_file rw_file_perms;
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
+
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
+# Allow shell to launch microdroid_launcher in its own domain
+# TODO(b/186396070) remove this when microdroid_manager can do this
+domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
+domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow shell adbd:unix_stream_socket connectto;
+allow shell adbd:fd use;
+allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+# filesystem test for insecure chr_file's is done
+# via a host side test
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# filesystem test for insucre blk_file's is done
+# via hostside test
+allow shell dev_type:blk_file getattr;

microdroid/system/private/statsd.te

@@ -0,0 +1,3 @@
+typeattribute statsd coredomain;
+
+init_daemon_domain(statsd)

microdroid/system/private/su.te

@@ -0,0 +1,12 @@
+userdebug_or_eng(`
+  typeattribute su coredomain;
+
+  domain_auto_trans(shell, su_exec, su)
+
+  # su is also permissive to permit setenforce.
+  permissive su;
+
+  # Do not audit accesses to keystore2 namespace for the su domain.
+  dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+
+')

microdroid/system/private/tombstoned.te

@@ -0,0 +1,12 @@
+typeattribute tombstoned coredomain;
+
+init_daemon_domain(tombstoned)
+
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };

microdroid/system/private/toolbox.te

@@ -0,0 +1,3 @@
+typeattribute toolbox coredomain;
+
+init_daemon_domain(toolbox)

microdroid/system/private/ueventd.te

@@ -0,0 +1,52 @@
+typeattribute ueventd coredomain;
+
+tmpfs_domain(ueventd)
+
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, rootfs)
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file_type)
+
+# Access for /apex/*/firmware
+allow ueventd apex_mnt_dir:dir r_dir_perms;
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
+allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
+
+# ueventd loads modules in response to modalias events.
+allow ueventd self:global_capability_class_set sys_module;
+allow ueventd vendor_file:system module_load;
+allow ueventd kernel:key search;
+
+# ueventd is using bootstrap bionic
+allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
+allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+

microdroid/system/private/users

@@ -0,0 +1 @@
+user u roles { r } level s0 range s0 - mls_systemhigh;

microdroid/system/private/zipfuse.te

@@ -0,0 +1,34 @@
+# zipfuse is a FUSE daemon running in the microdroid. It mounts
+# /dev/block/by-name/microdroid-apk whose content is from an apk file on
+# /mnt/apk so that the entries in the apk file are seen as regular files. See
+# packages/modules/Virtualization/zipfuse.
+
+type zipfuse, domain, coredomain;
+type zipfuse_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(zipfuse)
+
+# allow basic rules to implement FUSE
+allow zipfuse fuse_device:chr_file rw_file_perms;
+allow zipfuse self:global_capability_class_set sys_admin;
+
+# allow access to /dev/vd* block device files and also access to the symlinks
+# /dev/block/by-name/*
+allow zipfuse block_device:dir r_dir_perms;
+allow zipfuse block_device:lnk_file r_file_perms;
+
+# /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-*
+allow zipfuse dm_device:blk_file r_file_perms;
+
+# allow mounting on /mnt/apk
+allow zipfuse tmpfs:dir mounton;
+
+# allow mounting with fscontext=u:object_r:zipfusefs:s0
+type zipfusefs, fs_type, contextmount_type;
+allow zipfuse fuse:filesystem relabelfrom;
+allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
+
+# allow mounting with context=u:object_r:system_file:s0 so that files provided
+# by zipfuse are treated the same as the other files in /system or /apex
+allow system_file zipfusefs:filesystem associate;

microdroid/system/public/adbd.te

@@ -0,0 +1,2 @@
+type adbd, domain;
+type adbd_exec, exec_type, file_type, system_file_type;

microdroid/system/public/apexd.te

@@ -0,0 +1,5 @@
+type apexd, domain, coredomain;
+type apexd_exec, file_type, exec_type, system_file_type;
+
+binder_use(apexd)
+add_service(apexd, apex_service)

microdroid/system/public/attributes

@@ -0,0 +1,395 @@
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# in tools/checkfc.c
+attribute dev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute fs_type;
+
+# All types used for context= mounts.
+attribute contextmount_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+expandattribute data_file_type false;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+expandattribute core_data_file_type false;
+
+# All types used for app private data files in seapp_contexts.
+# Such types should not be applied to any other files.
+attribute app_data_file_type;
+expandattribute app_data_file_type false;
+
+# All types in /system
+attribute system_file_type;
+
+# All types in /vendor
+attribute vendor_file_type;
+
+# All types used for procfs files.
+attribute proc_type;
+expandattribute proc_type false;
+
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
+
+# All types used for sysfs files.
+attribute sysfs_type;
+
+# All types use for debugfs files.
+attribute debugfs_type;
+
+# All types used for tracefs files.
+attribute tracefs_type;
+
+# Attribute used for all sdcards
+attribute sdcard_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All types used for property service
+# On change, update CHECK_PC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute property_type;
+
+# All properties defined in core SELinux policy. Should not be
+# used by device specific properties
+attribute core_property_type;
+
+# All properties used to configure log filtering.
+attribute log_property_type;
+
+# All properties that are not specific to device but are added from
+# outside of AOSP. (e.g. OEM-specific properties)
+# These properties are not accessible from device-specific domains
+attribute extended_core_property_type;
+
+# Properties used for representing ownership. All properties should have one
+# of: system_property_type, product_property_type, or vendor_property_type.
+
+# All properties defined by /system.
+attribute system_property_type;
+expandattribute system_property_type false;
+
+# All /system-defined properties used only in /system.
+attribute system_internal_property_type;
+expandattribute system_internal_property_type false;
+
+# All /system-defined properties which can't be written outside /system.
+attribute system_restricted_property_type;
+expandattribute system_restricted_property_type false;
+
+# All /system-defined properties with no restrictions.
+attribute system_public_property_type;
+expandattribute system_public_property_type false;
+
+# All keystore2_key labels.
+attribute keystore2_key_type;
+
+# All properties defined by /product.
+# Currently there are no enforcements between /system and /product, so for now
+# /product attributes are just replaced to /system attributes.
+define(`product_property_type',   `system_property_type')
+define(`product_internal_property_type',   `system_internal_property_type')
+define(`product_restricted_property_type', `system_restricted_property_type')
+define(`product_public_property_type',     `system_public_property_type')
+
+# All properties defined by /vendor.
+attribute vendor_property_type;
+expandattribute vendor_property_type false;
+
+# All /vendor-defined properties used only in /vendor.
+attribute vendor_internal_property_type;
+expandattribute vendor_internal_property_type false;
+
+# All /vendor-defined properties which can't be written outside /vendor.
+attribute vendor_restricted_property_type;
+expandattribute vendor_restricted_property_type false;
+
+# All /vendor-defined properties with no restrictions.
+attribute vendor_public_property_type;
+expandattribute vendor_public_property_type false;
+
+# All service_manager types created by system_server
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which should be available to all ephemeral apps
+attribute ephemeral_app_api_service;
+
+# services which export only system_api
+attribute system_api_service;
+
+# services which are explicitly disallowed for untrusted apps to access
+attribute protected_service;
+
+# services which served by vendor and also using the copy of libbinder on
+# system (for instance via libbinder_ndk). services using a different copy
+# of libbinder currently need their own context manager (e.g.
+# vndservicemanager)
+attribute vendor_service;
+
+# All types used for services managed by servicemanager.
+# On change, update CHECK_SC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute service_manager_type;
+
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
+# All HwBinder services that untrusted apps can't directly access
+attribute protected_hwservice;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All third party apps (except isolated_app and ephemeral_app)
+attribute untrusted_app_all;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
+
+# update_engine related domains that need to apply an update and run
+# postinstall. This includes the background daemon and the sideload tool from
+# recovery for A/B devices.
+attribute update_engine_common;
+
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All vendor hwservice.
+attribute vendor_hwservice_type;
+
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+expandattribute coredomain_socket false;
+
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+expandattribute socket_between_core_and_vendor_violators false;
+
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+expandattribute vendor_executes_system_violators false;
+
+# All domains which violate the requirement of not sharing files by path
+# between between vendor and core domains.
+# TODO(b/34980020)
+attribute data_between_core_and_vendor_violators;
+expandattribute data_between_core_and_vendor_violators false;
+
+# All system domains which violate the requirement of not executing vendor
+# binaries/libraries.
+# TODO(b/62041836)
+attribute system_executes_vendor_violators;
+expandattribute system_executes_vendor_violators false;
+
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
+# All system domains which violate the requirement of not writing to
+# /mnt/vendor/*. Must not be used on devices launched with P or later.
+attribute system_writes_mnt_vendor_violators;
+expandattribute system_writes_mnt_vendor_violators false;
+
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary.  It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice_violators;
+expandattribute untrusted_app_visible_hwservice_violators false;
+
+# halserver domains that are accessible to untrusted applications.  These
+# domains are typically those hosting  hwservices attributed by the
+# untrusted_app_visible_hwservice_violators.
+# WARNING: Use of this attribute should be avoided unless absolutely necessary.
+# It is a temporary allowance to aid the transition to treble and will be
+# removed in the future platform version, requiring all halserver domains that
+# are labeled with this attribute to be submitted to AOSP in order to maintain
+# their app-visibility.
+attribute untrusted_app_visible_halserver_violators;
+expandattribute untrusted_app_visible_halserver_violators false;
+
+# PDX services
+attribute pdx_endpoint_dir_type;
+attribute pdx_endpoint_socket_type;
+expandattribute pdx_endpoint_socket_type false;
+attribute pdx_channel_socket_type;
+expandattribute pdx_channel_socket_type false;
+
+pdx_service_attributes(display_client)
+pdx_service_attributes(display_manager)
+pdx_service_attributes(display_screenshot)
+pdx_service_attributes(display_vsync)
+pdx_service_attributes(performance_client)
+pdx_service_attributes(bufferhub_client)
+
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
+expandattribute halclientdomain true;
+
+# Exempt for halserverdomain to access sockets. Only builds for automotive
+# device types are allowed to use this attribute (enforced by CTS).
+# Unlike phone, in a car many modules are external from Android perspective and
+# HALs should be able to communicate with those devices through sockets.
+attribute hal_automotive_socket_exemption;
+
+# HALs
+hal_attribute(allocator);
+hal_attribute(atrace);
+hal_attribute(audio);
+hal_attribute(audiocontrol);
+hal_attribute(authsecret);
+hal_attribute(bluetooth);
+hal_attribute(bootctl);
+hal_attribute(bufferhub);
+hal_attribute(broadcastradio);
+hal_attribute(camera);
+hal_attribute(can_bus);
+hal_attribute(can_controller);
+hal_attribute(cas);
+hal_attribute(codec2);
+hal_attribute(configstore);
+hal_attribute(confirmationui);
+hal_attribute(contexthub);
+hal_attribute(drm);
+hal_attribute(evs);
+hal_attribute(face);
+hal_attribute(fingerprint);
+hal_attribute(gatekeeper);
+hal_attribute(gnss);
+hal_attribute(graphics_allocator);
+hal_attribute(graphics_composer);
+hal_attribute(health);
+hal_attribute(health_storage);
+hal_attribute(identity);
+hal_attribute(input_classifier);
+hal_attribute(ir);
+hal_attribute(keymaster);
+hal_attribute(keymint);
+hal_attribute(light);
+hal_attribute(lowpan);
+hal_attribute(memtrack);
+hal_attribute(neuralnetworks);
+hal_attribute(nfc);
+hal_attribute(oemlock);
+hal_attribute(omx);
+hal_attribute(power);
+hal_attribute(power_stats);
+hal_attribute(rebootescrow);
+hal_attribute(secure_element);
+hal_attribute(sensors);
+hal_attribute(telephony);
+hal_attribute(tetheroffload);
+hal_attribute(thermal);
+hal_attribute(tv_cec);
+hal_attribute(tv_input);
+hal_attribute(tv_tuner);
+hal_attribute(usb);
+hal_attribute(usb_gadget);
+hal_attribute(vehicle);
+hal_attribute(vibrator);
+hal_attribute(vr);
+hal_attribute(weaver);
+hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
+hal_attribute(wifi_supplicant);
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server  to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute automotive_display_service_server;
+attribute camera_service_server;
+attribute display_service_server;
+attribute scheduler_service_server;
+attribute sensor_service_server;
+attribute stats_service_server;
+attribute system_suspend_internal_server;
+attribute system_suspend_server;
+attribute wifi_keystore_service_server;
+
+# All types used for super partition block devices.
+attribute super_block_device_type;
+
+# All types used for DMA-BUF heaps
+attribute dmabuf_heap_device_type;
+expandattribute dmabuf_heap_device_type false;
+
+# All types used for DSU metadata files.
+attribute gsi_metadata_file_type;
+
+attribute fusefs_type;

microdroid/system/public/crash_dump.te

@@ -0,0 +1,2 @@
+type crash_dump, domain;
+type crash_dump_exec, system_file_type, exec_type, file_type;

microdroid/system/public/device.te

@@ -0,0 +1,39 @@
+type ashmem_device, dev_type, mlstrustedobject;
+type ashmem_libcutils_device, dev_type, mlstrustedobject;
+type binder_device, dev_type, mlstrustedobject;
+type block_device, dev_type;
+type console_device, dev_type;
+type device, dev_type, fs_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
+type dmabuf_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_secure_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type fuse_device, dev_type, mlstrustedobject;
+type hw_random_device, dev_type;
+type hwbinder_device, dev_type, mlstrustedobject;
+type kmsg_debug_device, dev_type;
+type kmsg_device, dev_type, mlstrustedobject;
+type kvm_device, dev_type;
+type loop_control_device, dev_type;
+type loop_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type owntty_device, dev_type, mlstrustedobject;
+type ppp_device, dev_type;
+type properties_device, dev_type;
+type properties_serial, dev_type;
+type property_info, dev_type;
+type ptmx_device, dev_type, mlstrustedobject;
+type ram_device, dev_type;
+type random_device, dev_type, mlstrustedobject;
+type rtc_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type tty_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type uhid_device, dev_type, mlstrustedobject;
+type uio_device, dev_type;
+type userdata_sysdev, dev_type;
+type vd_device, dev_type;
+type vndbinder_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;

microdroid/system/public/file.te

@@ -0,0 +1,204 @@
+type system_linker_exec, file_type, system_file_type;
+
+# file types
+type adbd_socket, file_type, coredomain_socket;
+type apc_service, service_manager_type;
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type apex_info_file, file_type;
+type apex_mnt_dir, file_type;
+type cgroup_desc_api_file, file_type, system_file_type;
+type cgroup_desc_file, file_type, system_file_type;
+type cgroup_rc_file, file_type;
+type file_contexts_file, file_type, system_file_type;
+type hwservice_contexts_file, file_type, system_file_type;
+type keystore2_key_contexts_file, file_type, system_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type linkerconfig_file, file_type;
+type logd_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdw_socket, file_type, mlstrustedobject, coredomain_socket;
+type mac_perms_file, file_type, system_file_type;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+type property_contexts_file, file_type, system_file_type;
+type property_socket, file_type, mlstrustedobject, coredomain_socket;
+type runtime_event_log_tags_file, file_type;
+type seapp_contexts_file, file_type, system_file_type;
+type sepolicy_file, file_type, system_file_type;
+type service_contexts_file, file_type, system_file_type;
+type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type shell_test_data_file, file_type, data_file_type, core_data_file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_bootstrap_lib_file, file_type, system_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
+type system_data_root_file, file_type, data_file_type, core_data_file_type;
+type system_event_log_tags_file, file_type, system_file_type;
+type system_file, file_type, system_file_type;
+type system_group_file, file_type, system_file_type;
+type system_lib_file, file_type, system_file_type;
+type system_linker_config_file, file_type, system_file_type;
+type system_passwd_file, file_type, system_file_type;
+type system_seccomp_policy_file, file_type, system_file_type;
+type system_security_cacerts_file, file_type, system_file_type;
+type task_profiles_api_file, file_type, system_file_type;
+type task_profiles_file, file_type, system_file_type;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tombstoned_crash_socket, file_type, mlstrustedobject, coredomain_socket;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type unlabeled, file_type;
+type vendor_configs_file, file_type, vendor_file_type;
+type vendor_data_file, file_type, data_file_type;
+type vendor_file, file_type, vendor_file_type;
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
+# file system types
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
+type binfmt_miscfs, fs_type;
+type cgroup, fs_type, mlstrustedobject;
+type cgroup_v2, fs_type;
+type config_gz, fs_type, proc_type;
+type configfs, fs_type;
+type debugfs, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_kcov, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type devpts, fs_type, mlstrustedobject;
+type devtmpfs;
+type exfat, fs_type, sdcard_type, mlstrustedobject;
+type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
+type functionfs, fs_type, mlstrustedobject;
+type fuse, fs_type, fusefs_type, mlstrustedobject;
+type fusectlfs, fs_type;
+type inotify, fs_type, mlstrustedobject;
+type labeledfs, fs_type;
+type mqueue, fs_type;
+type pipefs, fs_type;
+type proc, fs_type, proc_type;
+type proc_abi, fs_type, proc_type;
+type proc_asound, fs_type, proc_type;
+type proc_bootconfig, fs_type, proc_type;
+type proc_buddyinfo, fs_type, proc_type;
+type proc_cmdline, fs_type, proc_type;
+type proc_cpuinfo, fs_type, proc_type;
+type proc_dirty, fs_type, proc_type;
+type proc_diskstats, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
+type proc_extra_free_kbytes, fs_type, proc_type;
+type proc_filesystems, fs_type, proc_type;
+type proc_fs_verity, fs_type, proc_type;
+type proc_hostname, fs_type, proc_type;
+type proc_hung_task, fs_type, proc_type;
+type proc_interrupts, fs_type, proc_type;
+type proc_iomem, fs_type, proc_type;
+type proc_kallsyms, fs_type, proc_type;
+type proc_keys, fs_type, proc_type;
+type proc_kmsg, fs_type, proc_type;
+type proc_kpageflags, fs_type, proc_type;
+type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
+type proc_lowmemorykiller, fs_type, proc_type;
+type proc_max_map_count, fs_type, proc_type;
+type proc_meminfo, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
+type proc_misc, fs_type, proc_type;
+type proc_modules, fs_type, proc_type;
+type proc_mounts, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_tcp_udp, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
+type proc_page_cluster, fs_type, proc_type;
+type proc_pagetypeinfo, fs_type, proc_type;
+type proc_panic, fs_type, proc_type;
+type proc_perf, fs_type, proc_type;
+type proc_pid_max, fs_type, proc_type;
+type proc_pipe_conf, fs_type, proc_type;
+type proc_pressure_cpu, fs_type, proc_type;
+type proc_pressure_io, fs_type, proc_type;
+type proc_pressure_mem, fs_type, proc_type;
+type proc_qtaguid_ctrl, fs_type, proc_type, mlstrustedobject;
+type proc_qtaguid_stat, fs_type, proc_type, mlstrustedobject;
+type proc_random, fs_type, proc_type;
+type proc_sched, fs_type, proc_type;
+type proc_security, fs_type, proc_type;
+type proc_slabinfo, fs_type, proc_type;
+type proc_stat, fs_type, proc_type;
+type proc_swaps, fs_type, proc_type;
+type proc_sysrq, fs_type, proc_type;
+type proc_timer, fs_type, proc_type;
+type proc_tty_drivers, fs_type, proc_type;
+type proc_uid_concurrent_active_time, fs_type, proc_type;
+type proc_uid_concurrent_policy_time, fs_type, proc_type;
+type proc_uid_cpupower, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
+type proc_uptime, fs_type, proc_type;
+type proc_version, fs_type, proc_type;
+type proc_vmallocinfo, fs_type, proc_type;
+type proc_vmstat, fs_type, proc_type;
+type proc_zoneinfo, fs_type, proc_type;
+type pstorefs, fs_type;
+type rootfs, fs_type;
+type sdcardfs, fs_type, sdcard_type, mlstrustedobject;
+type securityfs, fs_type;
+type selinuxfs, fs_type, mlstrustedobject;
+type shm, fs_type;
+type sockfs, fs_type;
+type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_android_usb, fs_type, sysfs_type;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_devices_cs_etm, fs_type, sysfs_type;
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
+type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
+type sysfs_dma_heap, fs_type, sysfs_type;
+type sysfs_dmabuf_stats, fs_type, sysfs_type;
+type sysfs_dt_firmware_android, fs_type, sysfs_type;
+type sysfs_extcon, fs_type, sysfs_type;
+type sysfs_fs_ext4_features, fs_type, sysfs_type;
+type sysfs_fs_f2fs, fs_type, sysfs_type;
+type sysfs_fs_incfs_features, fs_type, sysfs_type;
+type sysfs_fs_incfs_metrics, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
+type sysfs_ion, fs_type, sysfs_type;
+type sysfs_ipv4, fs_type, sysfs_type;
+type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_leds, fs_type, sysfs_type;
+type sysfs_loop, fs_type, sysfs_type;
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
+type sysfs_net, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_power, fs_type, sysfs_type;
+type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_suspend_stats, fs_type, sysfs_type;
+type sysfs_switch, fs_type, sysfs_type;
+type sysfs_transparent_hugepage, fs_type, sysfs_type;
+type sysfs_uhid, fs_type, sysfs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_wakeup, fs_type, sysfs_type;
+type sysfs_wakeup_reasons, fs_type, sysfs_type;
+type sysfs_wlan_fwpath, fs_type, sysfs_type;
+type sysfs_zram, fs_type, sysfs_type;
+type sysfs_zram_uevent, fs_type, sysfs_type;
+type tmpfs, fs_type;
+type usbfs, fs_type;
+type usermodehelper, fs_type, proc_type;
+type vfat, fs_type, sdcard_type, mlstrustedobject;

microdroid/system/public/global_macros

@@ -0,0 +1,51 @@
+#####################################
+# Common groupings of object classes.
+#
+define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
+define(`global_capability_class_set', `{ capability cap_userns }')
+define(`global_capability2_class_set', `{ capability2 cap2_userns }')
+
+define(`devfile_class_set', `{ chr_file blk_file }')
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
+define(`dir_file_class_set', `{ dir file_class_set }')
+
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
+define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
+
+define(`ipc_class_set', `{ sem msgq shm ipc }')
+
+#####################################
+# Common groupings of permissions.
+#
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
+define(`w_file_perms', `{ open append write lock map }')
+define(`rx_file_perms', `{ r_file_perms x_file_perms }')
+define(`ra_file_perms', `{ r_file_perms append }')
+define(`rw_file_perms', `{ r_file_perms w_file_perms }')
+define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
+define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
+
+define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
+define(`w_dir_perms', `{ open search write add_name remove_name lock }')
+define(`ra_dir_perms', `{ r_dir_perms add_name write }')
+define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
+define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
+
+define(`r_ipc_perms', `{ getattr read associate unix_read }')
+define(`w_ipc_perms', `{ write unix_write }')
+define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
+define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+
+#####################################
+# Common socket permission sets.
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')

microdroid/system/public/hal_keymint.te

@@ -0,0 +1,4 @@
+binder_call(hal_keymint_client, hal_keymint_server)
+
+hal_attribute_service(hal_keymint, hal_keymint_service)
+binder_call(hal_keymint_server, servicemanager)

microdroid/system/public/hwservicemanager.te

@@ -0,0 +1,2 @@
+type hwservicemanager, domain, mlstrustedsubject;
+type hwservicemanager_exec, file_type, exec_type, system_file_type;

microdroid/system/public/init.te

@@ -0,0 +1,8 @@
+# init is its own domain.
+type init, domain, mlstrustedsubject;
+type init_exec, system_file_type, exec_type, file_type;
+type init_tmpfs, file_type;
+
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { getattr write relabelto };
+allow init kmsg_debug_device:chr_file { open write relabelto };

microdroid/system/public/ioctl_macros

@@ -0,0 +1,76 @@
+# socket ioctls allowed to unprivileged apps
+define(`unpriv_sock_ioctls', `
+{
+# Socket ioctls for gathering information about the interface
+SIOCGSTAMP SIOCGSTAMPNS
+SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
+SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
+# Wireless extension ioctls. Primarily get functions.
+SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
+SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
+SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
+}')
+
+# socket ioctls never allowed to unprivileged apps
+define(`priv_sock_ioctls', `
+{
+# qualcomm rmnet ioctls
+WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
+# socket ioctls
+SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
+SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
+SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
+SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
+SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
+SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
+SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
+SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
+SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
+SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
+# device and protocol specific ioctls
+SIOCDEVPRIVATE-SIOCDEVPRIVLAST
+SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
+# Wireless extension ioctls
+SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
+SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
+SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
+SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
+SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
+SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
+# Dev private ioctl i.e. hardware specific ioctls
+SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
+}')
+
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{
+  TIOCOUTQ FIOCLEX FIONCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
+
+# commonly used TTY ioctls
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+  TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
+  TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
+}')
+
+# point to point ioctls
+define(`ppp_ioctls', `{
+PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
+PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
+PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
+PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
+PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
+PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
+PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
+PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
+PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
+PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
+}')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
+}')

microdroid/system/public/kernel.te

@@ -0,0 +1,2 @@
+# Life begins with the kernel.
+type kernel, domain, mlstrustedsubject;

microdroid/system/public/keystore.te

@@ -0,0 +1,26 @@
+type keystore, domain;
+type keystore_exec, file_type, exec_type, system_file_type;
+
+# keystore daemon
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+
+add_service(keystore, keystore_service)
+add_service(keystore, remoteprovisioning_service)
+add_service(keystore, apc_service)
+add_service(keystore, keystore_compat_hal_service)
+add_service(keystore, authorization_service)
+add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
+r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)

microdroid/system/public/logcat.te

@@ -0,0 +1,2 @@
+type logcat;
+type logcat_exec, file_type, exec_type, system_file_type;

microdroid/system/public/logd.te

@@ -0,0 +1,2 @@
+type logd, domain;
+type logd_exec, file_type, exec_type, system_file_type;

microdroid/system/public/neverallow_macros

@@ -0,0 +1,15 @@
+#
+# Common neverallow permissions
+define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }')
+define(`no_x_file_perms', `{ execute execute_no_trans }')
+define(`no_w_dir_perms',  `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+  neverallow $1 $2:socket_class_set { connect sendto };
+  neverallow $1 $2:unix_stream_socket connectto;
+')

microdroid/system/public/property.te

@@ -0,0 +1,40 @@
+type apexd_prop, property_type;
+type bootloader_prop, property_type;
+type boottime_prop, property_type;
+type build_prop, property_type;
+type cold_boot_done_prop, property_type;
+type ctl_adbd_prop, property_type;
+type ctl_apexd_prop, property_type;
+type ctl_console_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
+type ctl_restart_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
+type debug_prop, property_type;
+type default_prop, property_type;
+type exported_default_prop, property_type;
+type fingerprint_prop, property_type;
+type hwservicemanager_prop, property_type;
+type init_perf_lsm_hooks_prop, property_type;
+type init_service_status_private_prop, property_type;
+type init_service_status_prop, property_type;
+type init_svc_debug_prop, property_type;
+type keystore_listen_prop, property_type;
+type logd_prop, property_type;
+type property_service_version_prop, property_type;
+type shell_prop, property_type;
+type usb_control_prop, property_type;
+type vendor_default_prop, property_type;
+type vmsecret_keymint_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;
+
+#----------------------------------------
+type adbd_config_prop, property_type;
+
+type module_sdkextensions_prop, property_type;

microdroid/system/public/roles

@@ -0,0 +1 @@
+role r types domain;

microdroid/system/public/runas.te

@@ -0,0 +1,2 @@
+type runas, domain, mlstrustedsubject, coredomain;
+type runas_exec, file_type, exec_type, system_file_type;

microdroid/system/public/servicemanager.te

@@ -0,0 +1,2 @@
+type servicemanager, domain;
+type servicemanager_exec, file_type, exec_type, system_file_type;

microdroid/system/public/shell.te

@@ -0,0 +1,82 @@
+# Domain for shell processes spawned by ADB or console service.
+type shell, domain, mlstrustedsubject;
+type shell_exec, system_file_type, exec_type, file_type;
+
+# Create and use network sockets.
+net_domain(shell)
+
+# logcat
+read_logd(shell)
+control_logd(shell)
+
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
+
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+
+r_dir_file(shell, system_file)
+allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
+allow shell shell_exec:file rx_file_perms;
+
+# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
+r_dir_file(shell, proc_net_type)
+
+allow shell {
+  proc_asound
+  proc_filesystems
+  proc_interrupts
+  proc_loadavg # b/124024827
+  proc_meminfo
+  proc_modules
+  proc_pid_max
+  proc_slabinfo
+  proc_stat
+  proc_timer
+  proc_uptime
+  proc_version
+  proc_vmstat
+  proc_zoneinfo
+}:file r_file_perms;
+
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
+r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
+allow shell domain:dir { search open read getattr };
+allow shell domain:{ file lnk_file } { open read getattr };
+
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
+# allow shell to read /proc/pid/attr/current for ps -Z
+allow shell domain:process getattr;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow shell selinuxfs:dir r_dir_perms;
+allow shell selinuxfs:file r_file_perms;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;

microdroid/system/public/statsd.te

@@ -0,0 +1,31 @@
+type statsd, domain, mlstrustedsubject;
+
+type statsd_exec, system_file_type, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+#   /system/bin/toolbox
+#   /system/bin/logcat
+#   /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+# Allow statsd to interact with keystore to pull atoms
+allow statsd keystore_service:service_manager find;
+binder_call(statsd, keystore)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read write };
+
+unix_socket_send(statsd, statsdw, statsd)

microdroid/system/public/su.te

@@ -0,0 +1,52 @@
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type su, domain;
+
+# File types must be defined for file_contexts.
+type su_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+  # Domain used for su processes, as well as for adbd and adb shell
+  # after performing an adb root command.  The domain definition is
+  # wrapped to ensure that it does not exist at all on -user builds.
+  typeattribute su mlstrustedsubject;
+
+  # Add su to various domains
+  net_domain(su)
+
+  dontaudit su self:capability_class_set *;
+  dontaudit su self:capability2 *;
+  dontaudit su kernel:security *;
+  dontaudit su { kernel file_type }:system *;
+  dontaudit su self:memprotect *;
+  dontaudit su domain:{ process process2 } *;
+  dontaudit su domain:fd *;
+  dontaudit su domain:dir *;
+  dontaudit su domain:lnk_file *;
+  dontaudit su domain:{ fifo_file file } *;
+  dontaudit su domain:socket_class_set *;
+  dontaudit su domain:ipc_class_set *;
+  dontaudit su domain:key *;
+  dontaudit su fs_type:filesystem *;
+  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+  dontaudit su node_type:node *;
+  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+  dontaudit su netif_type:netif *;
+  dontaudit su port_type:socket_class_set *;
+  dontaudit su port_type:{ tcp_socket dccp_socket } *;
+  dontaudit su domain:peer *;
+  dontaudit su domain:binder *;
+  dontaudit su property_type:property_service *;
+  dontaudit su property_type:file *;
+  dontaudit su service_manager_type:service_manager *;
+  dontaudit su hwservice_manager_type:hwservice_manager *;
+  dontaudit su servicemanager:service_manager list;
+  dontaudit su hwservicemanager:hwservice_manager list;
+  dontaudit su keystore:keystore_key *;
+  dontaudit su keystore:keystore2 *;
+  dontaudit su domain:drmservice *;
+  dontaudit su unlabeled:filesystem *;
+  dontaudit su domain:bpf *;
+  dontaudit su unlabeled:vsock_socket *;
+  dontaudit su self:perf_event *;
+')

microdroid/system/public/te_macros

@@ -0,0 +1,988 @@
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+define(`domain_trans', `
+# Old domain may exec the file and transition to the new domain.
+allow $1 $2:file { getattr open read execute map };
+allow $1 $3:process transition;
+# New domain is entered by executing the file.
+allow $3 $2:file { entrypoint open read execute getattr map };
+# New domain can send SIGCHLD to its caller.
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
+# Enable AT_SECURE, i.e. libc secure mode.
+dontaudit $1 $3:process noatsecure;
+# XXX dontaudit candidate but requires further study.
+allow $1 $3:process { siginh rlimitinh };
+')
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+define(`domain_auto_trans', `
+# Allow the necessary permissions.
+domain_trans($1,$2,$3)
+# Make the transition occur by default.
+type_transition $1 $2:process $3;
+')
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+define(`file_type_trans', `
+# Allow the domain to add entries to the directory.
+allow $1 $2:dir ra_dir_perms;
+# Allow the domain to create the file.
+allow $1 $3:notdevfile_class_set create_file_perms;
+allow $1 $3:dir create_dir_perms;
+')
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+define(`file_type_auto_trans', `
+# Allow the necessary permissions.
+file_type_trans($1, $2, $3)
+# Make the transition occur by default.
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+')
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } r_file_perms;
+')
+
+#####################################
+# tmpfs_domain(domain)
+# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
+define(`tmpfs_domain', `
+type_transition $1 tmpfs:file $1_tmpfs;
+allow $1 $1_tmpfs:file { read write getattr map };
+')
+
+# pdx macros for IPC. pdx is a high-level name which contains transport-specific
+# rules from underlying transport (e.g. UDS-based implementation).
+
+#####################################
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
+')
+
+#####################################
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+userdebug_or_eng(`
+dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
+dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
+')
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
+# Servers may receive sync fences, gralloc buffers, etc, from clients.
+# This could be tightened on a per-server basis, but keeping track of service
+# clients is error prone.
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
+')
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+define(`init_daemon_domain', `
+domain_auto_trans(init, $1_exec, $1)
+')
+
+####################################
+# userfaultfd_use(domain)
+# Allow domain to create/use userfaultfd.
+define(`userfaultfd_use', `
+# Set up a type_transition to "userfaultfd" named anonymous inode object.
+type $1_userfaultfd;
+type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
+# Allow domain to create/use userfaultfd anon_inode.
+allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Other domains may not use userfaultfd anon_inodes created by this domain.
+neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
+# This domain may not use userfaultfd anon_inodes created by other domains.
+neverallow $1 ~$1_userfaultfd:anon_inode *;
+')
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+define(`app_domain', `
+typeattribute $1 appdomain;
+# Label tmpfs objects for all apps.
+type_transition $1 tmpfs:file appdomain_tmpfs;
+userfaultfd_use($1)
+allow $1 appdomain_tmpfs:file { execute getattr map read write };
+neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components to
+# apps. crash_dump is excluded, as it needs ptrace access to produce stack
+# traces. runas_app is excluded, as it operates only on debuggable apps.
+# simpleperf is excluded, as it operates only on debuggable or profileable
+# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
+# live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
+')
+
+#####################################
+# untrusted_app_domain(domain)
+# Allow a base set of permissions required for all untrusted apps.
+define(`untrusted_app_domain', `
+typeattribute $1 untrusted_app_all;
+')
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+define(`net_domain', `
+typeattribute $1 netdomain;
+')
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+define(`bluetooth_domain', `
+typeattribute $1 bluetoothdomain;
+')
+
+#####################################
+# hal_attribute(hal_name)
+# Add an attribute for hal implementations along with necessary
+# restrictions.
+define(`hal_attribute', `
+attribute hal_$1;
+expandattribute hal_$1 true;
+attribute hal_$1_client;
+expandattribute hal_$1_client true;
+attribute hal_$1_server;
+expandattribute hal_$1_server false;
+
+neverallow { hal_$1_server -halserverdomain } domain:process fork;
+# hal_*_client and halclientdomain attributes are always expanded for
+# performance reasons. Neverallow rules targeting expanded attributes can not be
+# verified by CTS since these attributes are already expanded by that time.
+build_test_only(`
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
+')
+')
+
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+#   type hal_foo_default, domain;
+#   hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+#   hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+')
+
+#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+#   passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
+define(`unix_socket_connect', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_stream_socket connectto;
+')
+
+#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+unix_socket_connect($1, property, init)
+allow $1 $2:property_service set;
+get_prop($1, $2)
+')
+
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file { getattr open read map };
+')
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+define(`unix_socket_send', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_dgram_socket sendto;
+')
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+define(`binder_use', `
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
+# Allow servicemanager to send out callbacks
+allow servicemanager $1:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# hwbinder_use(domain)
+# Allow domain to use HwBinder IPC.
+define(`hwbinder_use', `
+# Call the hwservicemanager and transfer references to it.
+allow $1 hwservicemanager:binder { call transfer };
+# Allow hwservicemanager to send out callbacks
+allow hwservicemanager $1:binder { call transfer };
+# hwservicemanager performs getpidcon on clients.
+allow hwservicemanager $1:dir search;
+allow hwservicemanager $1:file { read open map };
+allow hwservicemanager $1:process getattr;
+# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open map };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+define(`binder_call', `
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
+# Receive and use open files from the server.
+allow $1 $2:fd use;
+')
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+define(`binder_service', `
+typeattribute $1 binderservicedomain;
+')
+
+#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
+# deprecated.
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:global_capability2_class_set block_suspend;
+# system_suspend permissions
+binder_call($1, system_suspend_server)
+allow $1 system_suspend_hwservice:hwservice_manager find;
+# halclientdomain permissions
+hwbinder_use($1)
+get_prop($1, hwservicemanager_prop)
+allow $1 hidl_manager_hwservice:hwservice_manager find;
+')
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+define(`selinux_check_access', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security compute_av;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
+')
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+define(`selinux_check_context', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security check_context;
+')
+
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+define(`create_pty', `
+# Each domain gets a unique devpts type.
+type $1_devpts, fs_type;
+# Label the pty with the unique type when created.
+type_transition $1 devpts:chr_file $1_devpts;
+# Allow use of the pty after creation.
+allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+# allowed to everyone via domain.te.
+')
+
+#####################################
+# Non system_app application set
+#
+define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Recovery only
+# SELinux rules which apply only to recovery mode
+#
+define(`recovery_only', ifelse(target_recovery, `true', $1, ))
+
+#####################################
+# Not recovery
+# SELinux rules which apply only to non-recovery (normal) mode
+#
+define(`not_recovery', ifelse(target_recovery, `true', , $1))
+
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
+#####################################
+# enforce_debugfs_restriction
+# SELinux rules which apply to devices that enable debugfs restrictions.
+# The keyword "cts" is used to insert markers to only CTS test the neverallows
+# added by the macro for S-launch devices and newer.
+define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
+ifelse(target_enforce_debugfs_restriction, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# no_debugfs_restriction
+# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
+define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
+
+#####################################
+# Compatible property only
+# SELinux rules which apply only to devices with compatible property
+#
+define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
+ifelse(target_compatible_property, `cts',
+# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not compatible property
+# SELinux rules which apply only to devices without compatible property
+#
+define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+
+#####################################
+# asan builds
+# SELinux rules which apply only to asan builds
+#
+define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
+# native coverage builds
+# SELinux rules which apply only to builds with native coverage
+#
+define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
+# Build-time-only test
+# SELinux rules which are verified during build, but not as part of *TS testing.
+#
+define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
+
+####################################
+# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
+#
+define(`crash_dump_fallback', `
+userdebug_or_eng(`
+  allow $1 su:fifo_file append;
+')
+allow $1 anr_data_file:file append;
+allow $1 dumpstate:fd use;
+allow $1 incidentd:fd use;
+# TODO: Figure out why write is needed.
+allow $1 dumpstate:fifo_file { append write };
+allow $1 incidentd:fifo_file { append write };
+allow $1 system_server:fifo_file { append write };
+allow $1 tombstoned:unix_stream_socket connectto;
+allow $1 tombstoned:fd use;
+allow $1 tombstoned_crash_socket:sock_file write;
+allow $1 tombstone_data_file:file append;
+')
+
+#####################################
+# WITH_DEXPREOPT builds
+# SELinux rules which apply only when pre-opting.
+#
+define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+unix_socket_send($1, logdw, logd)
+allow $1 pmsg_device:chr_file w_file_perms;
+')
+
+#####################################
+# read_logd(domain)
+# Ability to run logcat and read from android
+# log daemon via sockets
+define(`read_logd', `
+allow $1 logcat_exec:file rx_file_perms;
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# read_runtime_log_tags(domain)
+# ability to directly map the runtime event log tags
+define(`read_runtime_log_tags', `
+allow $1 runtime_event_log_tags_file:file r_file_perms;
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+  allow keystore $1:dir search;
+  allow keystore $1:file { read open };
+  allow keystore $1:process getattr;
+  allow $1 apc_service:service_manager find;
+  allow $1 keystore_service:service_manager find;
+  allow $1 legacykeystore_service:service_manager find;
+  binder_call($1, keystore)
+  binder_call(keystore, $1)
+')
+
+#####################################
+# use_credstore(domain)
+# Ability to use credstore.
+define(`use_credstore', `
+  allow credstore $1:dir search;
+  allow credstore $1:file { read open };
+  allow credstore $1:process getattr;
+  allow $1 credstore_service:service_manager find;
+  binder_call($1, credstore)
+  binder_call(credstore, $1)
+')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+  allow drmserver $1:dir search;
+  allow drmserver $1:file { read open };
+  allow drmserver $1:process getattr;
+')
+
+###########################################
+# add_service(domain, service)
+# Ability for domain to add a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_service', `
+  allow $1 $2:service_manager { add find };
+  neverallow { domain -$1 } $2:service_manager add;
+')
+
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+  allow $1 $2:hwservice_manager { add find };
+  allow $1 hidl_base_hwservice:hwservice_manager add;
+  neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
+###########################################
+# hal_attribute_hwservice(attribute, service)
+# Ability for domain to get a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_hwservice
+define(`hal_attribute_hwservice', `
+  allow $1_client $2:hwservice_manager find;
+  add_hwservice($1_server, $2)
+
+  build_test_only(`
+    # if you are hitting this neverallow, try using:
+    #     hal_client_domain(<your domain>, hal_<foo>)
+    # instead
+    neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
+  ')
+')
+
+###########################################
+# hal_attribute_service(attribute, service)
+# Ability for domain to get a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+#
+# Used to pair hal_foo_client with hal_foo_service
+define(`hal_attribute_service', `
+  allow $1_client $2:service_manager find;
+  add_service($1_server, $2)
+
+  build_test_only(`
+    # if you are hitting this neverallow, try using:
+    #     hal_client_domain(<your domain>, hal_<foo>)
+    # instead
+    neverallow {
+        domain
+        -$1_client
+        -$1_server
+        -shell
+    } $2:service_manager find;
+  ')
+')
+
+###################################
+# can_profile_heap(domain)
+# Allow processes within the domain to have their heap profiled by central
+# heapprofd.
+define(`can_profile_heap', `
+  # Allow central daemon to send signal for client initialization.
+  allow heapprofd $1:process signal;
+  # Allow connecting to the daemon.
+  unix_socket_connect($1, heapprofd, heapprofd)
+  # Allow daemon to use the passed fds.
+  allow heapprofd $1:fd use;
+  # Allow to read and write to heapprofd shmem.
+  # The client needs to read the read and write pointers in order to write.
+  allow $1 heapprofd_tmpfs:file { read write getattr map };
+  # Use shared memory received over the unix socket.
+  allow $1 heapprofd:fd use;
+
+  # To read and write from the received file descriptors.
+  # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+  # process they relate to.
+  # We need to write to /proc/$PID/page_idle to find idle allocations.
+  # The client only opens /proc/self/page_idle with RDWR, everything else
+  # with RDONLY.
+  # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+  # sys_ptrace.
+  allow heapprofd $1:file rw_file_perms;
+  # Allow searching the /proc/[pid] directory for cmdline.
+  allow heapprofd $1:dir r_dir_perms;
+')
+
+###################################
+# never_profile_heap(domain)
+# Opt out of heap profiling by heapprofd.
+define(`never_profile_heap', `
+  neverallow heapprofd $1:file read;
+  neverallow heapprofd $1:process signal;
+')
+
+###################################
+# can_profile_perf(domain)
+# Allow processes within the domain to be profiled, and have their stacks
+# sampled, by traced_perf.
+define(`can_profile_perf', `
+  # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
+  # reads /proc/[pid]/cmdline.
+  allow traced_perf $1:file r_file_perms;
+  allow traced_perf $1:dir r_dir_perms;
+
+  # Allow central daemon to send signal to request /proc/[pid]/maps and
+  # /proc/[pid]/mem fds from this process.
+  allow traced_perf $1:process signal;
+
+  # Allow connecting to the daemon.
+  unix_socket_connect($1, traced_perf, traced_perf)
+  # Allow daemon to use the passed fds.
+  allow traced_perf $1:fd use;
+')
+
+###################################
+# never_profile_perf(domain)
+# Opt out of profiling by traced_perf.
+define(`never_profile_perf', `
+  neverallow traced_perf $1:file read;
+  neverallow traced_perf $1:process signal;
+')
+
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+# When applying this macro, you might need to also allow traced to use the
+# producer tmpfs domain, if the producer will be the one creating the shared
+# memory.
+define(`perfetto_producer', `
+  allow $1 traced:fd use;
+  allow $1 traced_tmpfs:file { read write getattr map };
+  unix_socket_connect($1, traced_producer, traced)
+
+  # Also allow the service to use the producer file descriptors. This is
+  # necessary when the producer is creating the shared memory, as it will be
+  # passed to the service as a file descriptor (obtained from memfd_create).
+  allow traced $1:fd use;
+')
+
+###########################################
+# dump_hal(hal_type)
+# Ability to dump the hal debug info
+#
+define(`dump_hal', `
+  hal_client_domain(dumpstate, $1);
+  allow $1_server dumpstate:fifo_file write;
+  allow $1_server dumpstate:fd use;
+')
+
+#####################################
+# treble_sysprop_neverallow(rules)
+# SELinux neverallow rules which enforces the accessibility of each property
+# outside the owner.
+#
+# For devices launching with R or later, exported properties must be explicitly marked as
+# "restricted" or "public", depending on the accessibility outside the owner.
+# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these rules only for devices launching with R or later.
+#
+# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
+#
+define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
+ifelse(target_treble_sysprop_neverallow, `cts',
+# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# enforce_sysprop_owner(rules)
+# SELinux neverallow rules which enforces the owner of each property.
+#
+# For devices launching with S or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these ules only for devices launching with S or later.
+#
+define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
+ifelse(target_enforce_sysprop_owner, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+###########################################
+# define_prop(name, owner, scope)
+# Define a property with given owner and scope
+#
+define(`define_prop', `
+  type $1, property_type, $2_property_type, $2_$3_property_type;
+')
+
+###########################################
+# system_internal_prop(name)
+# Define a /system-owned property used only in /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`system_internal_prop', `
+  define_prop($1, system, internal)
+  treble_sysprop_neverallow(`
+    neverallow { domain -coredomain } $1:file no_rw_file_perms;
+  ')
+')
+
+###########################################
+# system_restricted_prop(name)
+# Define a /system-owned property which can't be written outside /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`system_restricted_prop', `
+  define_prop($1, system, restricted)
+  treble_sysprop_neverallow(`
+    neverallow { domain -coredomain } $1:property_service set;
+  ')
+')
+
+###########################################
+# system_public_prop(name)
+# Define a /system-owned property with no restrictions
+#
+define(`system_public_prop', `define_prop($1, system, public)')
+
+###########################################
+# system_vendor_config_prop(name)
+# Define a /system-owned property which can only be written by vendor_init
+# This is a macro for vendor-specific configuration properties which is meant
+# to be set once from vendor_init.
+#
+define(`system_vendor_config_prop', `
+  system_public_prop($1)
+  set_prop(vendor_init, $1)
+  neverallow { domain -init -vendor_init } $1:property_service set;
+')
+
+###########################################
+# product_internal_prop(name)
+# Define a /product-owned property used only in /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`product_internal_prop', `
+  define_prop($1, product, internal)
+  treble_sysprop_neverallow(`
+    neverallow { domain -coredomain } $1:file no_rw_file_perms;
+  ')
+')
+
+###########################################
+# product_restricted_prop(name)
+# Define a /product-owned property which can't be written outside /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`product_restricted_prop', `
+  define_prop($1, product, restricted)
+  treble_sysprop_neverallow(`
+    neverallow { domain -coredomain } $1:property_service set;
+  ')
+')
+
+###########################################
+# product_public_prop(name)
+# Define a /product-owned property with no restrictions
+#
+define(`product_public_prop', `define_prop($1, product, public)')
+
+###########################################
+# vendor_internal_prop(name)
+# Define a /vendor-owned property used only in /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`vendor_internal_prop', `
+  define_prop($1, vendor, internal)
+  treble_sysprop_neverallow(`
+# init and dumpstate are in coredomain, but should be able to read all props.
+    neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
+  ')
+')
+
+###########################################
+# vendor_restricted_prop(name)
+# Define a /vendor-owned property which can't be written outside /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
+#
+define(`vendor_restricted_prop', `
+  define_prop($1, vendor, restricted)
+  treble_sysprop_neverallow(`
+# init is in coredomain, but should be able to write all props.
+    neverallow { coredomain -init } $1:property_service set;
+  ')
+')
+
+###########################################
+# vendor_public_prop(name)
+# Define a /vendor-owned property with no restrictions
+#
+define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+  allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+  allow $1 gsi_public_metadata_file:file r_file_perms;
+')

microdroid/system/public/tombstoned.te

@@ -0,0 +1,2 @@
+type tombstoned, domain;
+type tombstoned_exec, file_type, exec_type, system_file_type;

microdroid/system/public/toolbox.te

@@ -0,0 +1,2 @@
+type toolbox, domain;
+type toolbox_exec, file_type, exec_type, system_file_type;

microdroid/system/public/type.te

@@ -0,0 +1,23 @@
+# Miscellaneous types
+type adb_service, system_server_service, system_api_service, service_manager_type;
+type apex_service, service_manager_type;
+type authorization_service, service_manager_type;
+type credstore_service, app_api_service, service_manager_type;
+type default_android_hwservice, hwservice_manager_type, protected_hwservice;
+type default_android_service, service_manager_type;
+type hal_keymint_service, protected_service, vendor_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
+type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
+type keystore_service, service_manager_type;
+type legacykeystore_service, service_manager_type;
+type remoteprovisioning_service, service_manager_type;
+type system_linker;
+type vm_payload_key;

microdroid/system/public/ueventd.te

@@ -0,0 +1,4 @@
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+type ueventd_tmpfs, file_type;

microdroid/system/public/vendor_init.te

@@ -0,0 +1,150 @@
+# vendor_init is its own domain.
+type vendor_init, domain, mlstrustedsubject;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open getattr write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+
+allow vendor_init system_data_file:dir getattr;
+
+allow vendor_init {
+  file_type
+  -exec_type
+  -system_file_type
+  -unlabeled
+  -vendor_file_type
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
+allow vendor_init {
+  file_type
+  -exec_type
+  -runtime_event_log_tags_file
+  -system_file_type
+  -unlabeled
+  -vendor_file_type
+  -apex_info_file
+  enforce_debugfs_restriction(`-debugfs_type')
+}:file { create getattr open read write setattr relabelfrom unlink map };
+
+allow vendor_init {
+  file_type
+  -exec_type
+  -system_file_type
+  -unlabeled
+  -vendor_file_type
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+  file_type
+  -apex_mnt_dir
+  -exec_type
+  -system_file_type
+  -unlabeled
+  -vendor_file_type
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+  file_type
+  -exec_type
+  -system_file_type
+  -vendor_file_type
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+  fs_type
+  -fusefs_type
+  -rootfs
+  -proc_uid_time_in_state
+  -proc_uid_concurrent_active_time
+  -proc_uid_concurrent_policy_time
+  enforce_debugfs_restriction(`-debugfs_type')
+}:file { open read setattr map };
+
+allow vendor_init tracefs_type:file { open read setattr map };
+
+allow vendor_init {
+  fs_type
+  -fusefs_type
+  -rootfs
+  -proc_uid_time_in_state
+  -proc_uid_concurrent_active_time
+  -proc_uid_concurrent_policy_time
+}:dir  { open read setattr search };
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
+allow vendor_init self:global_capability_class_set net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:global_capability_class_set sys_admin;
+
+# vendor_init is using bootstrap bionic
+allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
+allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
+# Allow vendor_init to (re)set nice
+allow vendor_init self:capability sys_nice;
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+  dev_type
+  -kvm_device
+  -hw_random_device
+}:chr_file setattr;

microdroid/vendor/file_contexts

@@ -0,0 +1,38 @@
+# TODO(jiyong): clean this up
+#############################
+# Vendor files
+#
+(/.*)?                  u:object_r:vendor_file:s0
+/bin/sh                 u:object_r:vendor_shell_exec:s0
+/bin/toybox_vendor      u:object_r:vendor_toolbox_exec:s0
+/bin/toolbox            u:object_r:vendor_toolbox_exec:s0
+/etc(/.*)?              u:object_r:vendor_configs_file:s0
+/etc/cgroups\.json      u:object_r:vendor_cgroup_desc_file:s0
+/etc/task_profiles\.json    u:object_r:vendor_task_profiles_file:s0
+
+/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
+
+/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
+/manifest\.xml           u:object_r:vendor_configs_file:s0
+/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
+/etc/vintf(/.*)?        u:object_r:vendor_configs_file:s0
+/app(/.*)?              u:object_r:vendor_app_file:s0
+/priv-app(/.*)?         u:object_r:vendor_app_file:s0
+/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
+/framework(/.*)?        u:object_r:vendor_framework_file:s0
+
+/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
+/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
+/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
+
+# HAL location
+/lib(64)?/hw            u:object_r:vendor_hal_file:s0
+
+/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
+
+/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+
+/bin/hw/android\.hardware\.security\.keymint-service\.microdroid u:object_r:hal_keymint_default_exec:s0

microdroid/vendor/hal_keymint_default.te

@@ -0,0 +1,13 @@
+type hal_keymint_default, domain;
+hal_server_domain(hal_keymint_default, hal_keymint)
+
+type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_keymint_default)
+
+allow hal_keymint_default keystore:binder transfer;
+allow hal_keymint_default system_lib_file:file execute;
+
+allow logd hal_keymint_default:dir search;
+allow logd hal_keymint_default:file { getattr open read };
+
+get_prop(hal_keymint_default, vmsecret_keymint_prop);