Merge "Minimize microdroid public policy" into main

2024-03-28 07:47:50 +00:00 · 2024-03-28 07:47:50 +00:00 · 7b6ce3bf13
commit 7b6ce3bf13
parent f02575f27f 9bad60cb1f
21 changed files with 332 additions and 274 deletions
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@ -440,3 +440,7 @@ allow init prng_seeder:unix_stream_socket { create bind listen };
 r_dir_file(init, vendor_kernel_modules)
 allow init self:capability sys_module;
 allow init vendor_kernel_modules:system module_load;
 allow init tmpfs:chr_file relabelfrom;
 allow init kmsg_device:chr_file { getattr write relabelto };
 allow init kmsg_debug_device:chr_file { open write relabelto };
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@ -18,6 +18,11 @@ dontaudit domain {
  ctl_fuse_prop
 }:property_service set;
 allow property_type tmpfs:filesystem associate;
 dontaudit { domain -init } default_prop:file no_rw_file_perms;
 dontaudit { domain -init } default_prop:property_service set;
 ###
 ### Neverallow rules
 ###
@ -67,3 +72,7 @@ neverallow {
    domain
    -init
 } non_existing_prop:property_service set;
 # Properties should be explicitly labeled in property_contexts
 neverallow { domain -init } default_prop:file no_rw_file_perms;
 neverallow { domain -init } default_prop:property_service set;
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@ -1,5 +1,76 @@
 typeattribute shell coredomain;
 # Root fs.
 allow shell rootfs:dir r_dir_perms;
 # Access /data/local/tmp.
 allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;
 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;
 r_dir_file(shell, system_file)
 allow shell system_file:file x_file_perms;
 allow shell toolbox_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 # allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
 r_dir_file(shell, proc_net_type)
 allow shell {
  proc_asound
  proc_filesystems
  proc_interrupts
  proc_loadavg # b/124024827
  proc_meminfo
  proc_modules
  proc_pid_max
  proc_slabinfo
  proc_stat
  proc_timer
  proc_uptime
  proc_version
  proc_vmstat
  proc_zoneinfo
 }:file r_file_perms;
 # allow listing network interfaces under /sys/class/net.
 allow shell sysfs_net:dir r_dir_perms;
 r_dir_file(shell, cgroup)
 allow shell cgroup_desc_file:file r_file_perms;
 allow shell cgroup_desc_api_file:file r_file_perms;
 r_dir_file(shell, cgroup_v2)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
 # statvfs() of /proc and other labeled filesystems
 # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
 allow shell { proc labeledfs }:filesystem getattr;
 # stat() of /dev
 allow shell device:dir getattr;
 # allow shell to read /proc/pid/attr/current for ps -Z
 allow shell domain:process getattr;
 # Allow pulling the SELinux policy for CTS purposes
 allow shell selinuxfs:dir r_dir_perms;
 allow shell selinuxfs:file r_file_perms;
 # /dev/fd is a symlink
 allow shell proc:lnk_file getattr;
 # read selinux policy files
 allow shell file_contexts_file:file r_file_perms;
 allow shell property_contexts_file:file r_file_perms;
 allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;
 # Perform SELinux access checks, needed for CTS
 selinux_check_access(shell)
 selinux_check_context(shell)
--- a/microdroid/system/private/statsd.te
+++ b/microdroid/system/private/statsd.te
@ -1,3 +1,22 @@
 typeattribute statsd coredomain;
 init_daemon_domain(statsd)
 # Allow statsd to scan through /proc/pid for all processes.
 r_dir_file(statsd, domain)
 # Allow executing files on system, such as running a shell or running:
 #   /system/bin/toolbox
 #   /system/bin/logcat
 #   /system/bin/dumpsys
 allow statsd devpts:chr_file { getattr ioctl read write };
 allow statsd shell_exec:file rx_file_perms;
 allow statsd system_file:file execute_no_trans;
 allow statsd toolbox_exec:file rx_file_perms;
 # Allow 'adb shell cmd' to upload configs and download output.
 allow statsd adbd:fd use;
 allow statsd adbd:unix_stream_socket { getattr read write };
 allow statsd shell:fifo_file { getattr read write };
 unix_socket_send(statsd, statsdw, statsd)
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@ -2,3 +2,34 @@ typeattribute su coredomain;
 # su is also permissive to permit setenforce.
 permissive su;
 # Add su to various domains
 dontaudit su self:capability_class_set *;
 dontaudit su self:capability2 *;
 dontaudit su kernel:security *;
 dontaudit su { kernel file_type }:system *;
 dontaudit su self:memprotect *;
 dontaudit su domain:{ process process2 } *;
 dontaudit su domain:fd *;
 dontaudit su domain:dir *;
 dontaudit su domain:lnk_file *;
 dontaudit su domain:{ fifo_file file } *;
 dontaudit su domain:socket_class_set *;
 dontaudit su domain:ipc_class_set *;
 dontaudit su domain:key *;
 dontaudit su fs_type:filesystem *;
 dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
 dontaudit su node_type:node *;
 dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
 dontaudit su netif_type:netif *;
 dontaudit su port_type:socket_class_set *;
 dontaudit su port_type:{ tcp_socket dccp_socket } *;
 dontaudit su domain:peer *;
 dontaudit su domain:binder *;
 dontaudit su property_type:property_service *;
 dontaudit su property_type:file *;
 dontaudit su domain:drmservice *;
 dontaudit su unlabeled:filesystem *;
 dontaudit su domain:bpf *;
 dontaudit su unlabeled:vsock_socket *;
 dontaudit su self:perf_event *;
--- a/microdroid/system/private/vendor_init.te
+++ b/microdroid/system/private/vendor_init.te
@ -0,0 +1,144 @@
 # Communication to the main init process
 allow vendor_init init:unix_stream_socket { read write };
 # Logging to kmsg
 allow vendor_init kmsg_device:chr_file { open getattr write };
 # Mount on /dev/usb-ffs/adb.
 allow vendor_init device:dir mounton;
 # Create and remove symlinks in /.
 allow vendor_init rootfs:lnk_file { create unlink };
 # Create cgroups mount points in tmpfs and mount cgroups on them.
 allow vendor_init cgroup:dir create_dir_perms;
 allow vendor_init cgroup:file w_file_perms;
 allow vendor_init cgroup_v2:dir create_dir_perms;
 allow vendor_init cgroup_v2:file w_file_perms;
 # /config
 allow vendor_init configfs:dir mounton;
 allow vendor_init configfs:dir create_dir_perms;
 allow vendor_init configfs:{ file lnk_file } create_file_perms;
 # Create directories under /dev/cpuctl after chowning it to system.
 allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
 # chown/chmod require open+read+setattr required for open()+fchown/fchmod().
 # system/core/init.rc requires at least cache_file and data_file_type.
 # init.<board>.rc files often include device-specific types, so
 # we just allow all file types except /system files here.
 allow vendor_init self:global_capability_class_set { chown fowner fsetid };
 allow vendor_init system_data_file:dir getattr;
 allow vendor_init {
  file_type
  -exec_type
  -system_file_type
  -unlabeled
  -vendor_file_type
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
 allow vendor_init {
  file_type
  -exec_type
  -system_file_type
  -unlabeled
  -vendor_file_type
  -apex_info_file
  enforce_debugfs_restriction(`-debugfs_type')
 }:file { create getattr open read write setattr relabelfrom unlink map };
 allow vendor_init {
  file_type
  -exec_type
  -system_file_type
  -unlabeled
  -vendor_file_type
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow vendor_init {
  file_type
  -apex_mnt_dir
  -exec_type
  -system_file_type
  -unlabeled
  -vendor_file_type
 }:lnk_file { create getattr setattr relabelfrom unlink };
 allow vendor_init {
  file_type
  -exec_type
  -system_file_type
  -vendor_file_type
 }:dir_file_class_set relabelto;
 allow vendor_init dev_type:dir create_dir_perms;
 allow vendor_init dev_type:lnk_file create;
 # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
 allow vendor_init debugfs_tracing:file w_file_perms;
 # chown/chmod on pseudo files.
 allow vendor_init {
  fs_type
  -fusefs_type
  -rootfs
  -proc_uid_time_in_state
  -proc_uid_concurrent_active_time
  -proc_uid_concurrent_policy_time
  enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr map };
 allow vendor_init tracefs_type:file { open read setattr map };
 allow vendor_init {
  fs_type
  -fusefs_type
  -rootfs
  -proc_uid_time_in_state
  -proc_uid_concurrent_active_time
  -proc_uid_concurrent_policy_time
 }:dir  { open read setattr search };
 allow vendor_init dev_type:blk_file getattr;
 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
 r_dir_file(vendor_init, proc_net_type)
 allow vendor_init proc_net_type:file w_file_perms;
 allow vendor_init self:global_capability_class_set net_admin;
 # Write to /proc/sys/vm/page-cluster
 allow vendor_init proc_page_cluster:file w_file_perms;
 # Write to sysfs nodes.
 allow vendor_init sysfs_type:dir r_dir_perms;
 allow vendor_init sysfs_type:lnk_file read;
 allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
 # setfscreatecon() for labeling directories and socket files.
 allow vendor_init self:process { setfscreate };
 r_dir_file(vendor_init, vendor_file_type)
 # Vendor init can perform operations on trusted and security Extended Attributes
 allow vendor_init self:global_capability_class_set sys_admin;
 # vendor_init is using bootstrap bionic
 use_bootstrap_libs(vendor_init)
 # Get file context
 allow vendor_init file_contexts_file:file r_file_perms;
 # Allow vendor_init to (re)set nice
 allow vendor_init self:capability sys_nice;
 # chown/chmod on devices, e.g. /dev/ttyHS0
 allow vendor_init {
  dev_type
  -hw_random_device
 }:chr_file setattr;
--- a/microdroid/system/public/adbd.te
+++ b/microdroid/system/public/adbd.te
@ -1,2 +1,6 @@
 type adbd, domain;
 type adbd_exec, exec_type, file_type, system_file_type;
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to private/*.te.
--- a/microdroid/system/public/apexd.te
+++ b/microdroid/system/public/apexd.te
@ -1,2 +1,6 @@
 type apexd, domain, coredomain;
 type apexd_exec, file_type, exec_type, system_file_type;
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to private/*.te.
--- a/microdroid/system/public/crash_dump.te
+++ b/microdroid/system/public/crash_dump.te
@ -1,2 +1,6 @@
 type crash_dump, domain;
 type crash_dump_exec, system_file_type, exec_type, file_type;
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to private/*.te.
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@ -27,3 +27,7 @@ type tty_device, dev_type;
 type vd_device, dev_type;
 type vsock_device, dev_type;
 type zero_device, dev_type;
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to private/*.te.
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@ -191,3 +191,7 @@ type tmpfs, fs_type;
 type usbfs, fs_type;
 type usermodehelper, fs_type, proc_type;
 type vfat, fs_type, sdcard_type;
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to private/*.te.
--- a/microdroid/system/public/init.te
+++ b/microdroid/system/public/init.te
@ -3,6 +3,6 @@ type init, domain;
 type init_exec, system_file_type, exec_type, file_type;
 type init_tmpfs, file_type;
-allow init tmpfs:chr_file relabelfrom;
+# public is for vendor-facing type and attribute definitions.
-allow init kmsg_device:chr_file { getattr write relabelto };
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
-allow init kmsg_debug_device:chr_file { open write relabelto };
+# Instead, add such policy rules to private/*.te.
--- a/microdroid/system/public/kernel.te
+++ b/microdroid/system/public/kernel.te
@ -1,2 +1,6 @@
 # Life begins with the kernel.
 type kernel, domain;
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to private/*.te.
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@ -50,11 +50,6 @@ type usb_control_prop, property_type;
 type vendor_default_prop, property_type;
 type powerctl_prop, property_type;
-allow property_type tmpfs:filesystem associate;
+# public is for vendor-facing type and attribute definitions.
-
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
-# Properties should be explicitly labeled in property_contexts
+# Instead, add such policy rules to private/*.te.
 neverallow { domain -init } default_prop:file no_rw_file_perms;
 neverallow { domain -init } default_prop:property_service set;
 dontaudit { domain -init } default_prop:file no_rw_file_perms;
 dontaudit { domain -init } default_prop:property_service set;
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@ -2,73 +2,6 @@
 type shell, domain;
 type shell_exec, system_file_type, exec_type, file_type;
-# Root fs.
+# public is for vendor-facing type and attribute definitions.
-allow shell rootfs:dir r_dir_perms;
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
-
+# Instead, add such policy rules to private/*.te.
 # Access /data/local/tmp.
 allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;
 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;
 r_dir_file(shell, system_file)
 allow shell system_file:file x_file_perms;
 allow shell toolbox_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 # allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
 r_dir_file(shell, proc_net_type)
 allow shell {
  proc_asound
  proc_filesystems
  proc_interrupts
  proc_loadavg # b/124024827
  proc_meminfo
  proc_modules
  proc_pid_max
  proc_slabinfo
  proc_stat
  proc_timer
  proc_uptime
  proc_version
  proc_vmstat
  proc_zoneinfo
 }:file r_file_perms;
 # allow listing network interfaces under /sys/class/net.
 allow shell sysfs_net:dir r_dir_perms;
 r_dir_file(shell, cgroup)
 allow shell cgroup_desc_file:file r_file_perms;
 allow shell cgroup_desc_api_file:file r_file_perms;
 r_dir_file(shell, cgroup_v2)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
 # statvfs() of /proc and other labeled filesystems
 # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
 allow shell { proc labeledfs }:filesystem getattr;
 # stat() of /dev
 allow shell device:dir getattr;
 # allow shell to read /proc/pid/attr/current for ps -Z
 allow shell domain:process getattr;
 # Allow pulling the SELinux policy for CTS purposes
 allow shell selinuxfs:dir r_dir_perms;
 allow shell selinuxfs:file r_file_perms;
 # /dev/fd is a symlink
 allow shell proc:lnk_file getattr;
 # read selinux policy files
 allow shell file_contexts_file:file r_file_perms;
 allow shell property_contexts_file:file r_file_perms;
 allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@ -1,22 +1,6 @@
 type statsd, domain;
 type statsd_exec, system_file_type, exec_type, file_type;
-# Allow statsd to scan through /proc/pid for all processes.
+# public is for vendor-facing type and attribute definitions.
-r_dir_file(statsd, domain)
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
-
+# Instead, add such policy rules to private/*.te.
 # Allow executing files on system, such as running a shell or running:
 #   /system/bin/toolbox
 #   /system/bin/logcat
 #   /system/bin/dumpsys
 allow statsd devpts:chr_file { getattr ioctl read write };
 allow statsd shell_exec:file rx_file_perms;
 allow statsd system_file:file execute_no_trans;
 allow statsd toolbox_exec:file rx_file_perms;
 # Allow 'adb shell cmd' to upload configs and download output.
 allow statsd adbd:fd use;
 allow statsd adbd:unix_stream_socket { getattr read write };
 allow statsd shell:fifo_file { getattr read write };
 unix_socket_send(statsd, statsdw, statsd)
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@ -5,33 +5,6 @@
 # that adb root works on debuggable VMs even for user builds.
 type su, domain;
-# Add su to various domains
+# public is for vendor-facing type and attribute definitions.
-dontaudit su self:capability_class_set *;
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
-dontaudit su self:capability2 *;
+# Instead, add such policy rules to private/*.te.
 dontaudit su kernel:security *;
 dontaudit su { kernel file_type }:system *;
 dontaudit su self:memprotect *;
 dontaudit su domain:{ process process2 } *;
 dontaudit su domain:fd *;
 dontaudit su domain:dir *;
 dontaudit su domain:lnk_file *;
 dontaudit su domain:{ fifo_file file } *;
 dontaudit su domain:socket_class_set *;
 dontaudit su domain:ipc_class_set *;
 dontaudit su domain:key *;
 dontaudit su fs_type:filesystem *;
 dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
 dontaudit su node_type:node *;
 dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
 dontaudit su netif_type:netif *;
 dontaudit su port_type:socket_class_set *;
 dontaudit su port_type:{ tcp_socket dccp_socket } *;
 dontaudit su domain:peer *;
 dontaudit su domain:binder *;
 dontaudit su property_type:property_service *;
 dontaudit su property_type:file *;
 dontaudit su domain:drmservice *;
 dontaudit su unlabeled:filesystem *;
 dontaudit su domain:bpf *;
 dontaudit su unlabeled:vsock_socket *;
 dontaudit su self:perf_event *;
--- a/microdroid/system/public/toolbox.te
+++ b/microdroid/system/public/toolbox.te
@ -1,2 +1,6 @@
 type toolbox, domain;
 type toolbox_exec, file_type, exec_type, system_file_type;
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to private/*.te.
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@ -1,3 +1,7 @@
 # Miscellaneous types
 type system_linker;
 type vm_payload_key;
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to private/*.te.
--- a/microdroid/system/public/ueventd.te
+++ b/microdroid/system/public/ueventd.te
@ -2,3 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 type ueventd_tmpfs, file_type;
 # public is for vendor-facing type and attribute definitions.
 # DO NOT ADD allow, neverallow, or dontaudit statements here.
 # Instead, add such policy rules to private/*.te.
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@ -1,147 +1,6 @@
 # vendor_init is its own domain.
 type vendor_init, domain;
-# Communication to the main init process
+# public is for vendor-facing type and attribute definitions.
-allow vendor_init init:unix_stream_socket { read write };
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
-
+# Instead, add such policy rules to private/*.te.
 # Logging to kmsg
 allow vendor_init kmsg_device:chr_file { open getattr write };
 # Mount on /dev/usb-ffs/adb.
 allow vendor_init device:dir mounton;
 # Create and remove symlinks in /.
 allow vendor_init rootfs:lnk_file { create unlink };
 # Create cgroups mount points in tmpfs and mount cgroups on them.
 allow vendor_init cgroup:dir create_dir_perms;
 allow vendor_init cgroup:file w_file_perms;
 allow vendor_init cgroup_v2:dir create_dir_perms;
 allow vendor_init cgroup_v2:file w_file_perms;
 # /config
 allow vendor_init configfs:dir mounton;
 allow vendor_init configfs:dir create_dir_perms;
 allow vendor_init configfs:{ file lnk_file } create_file_perms;
 # Create directories under /dev/cpuctl after chowning it to system.
 allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
 # chown/chmod require open+read+setattr required for open()+fchown/fchmod().
 # system/core/init.rc requires at least cache_file and data_file_type.
 # init.<board>.rc files often include device-specific types, so
 # we just allow all file types except /system files here.
 allow vendor_init self:global_capability_class_set { chown fowner fsetid };
 allow vendor_init system_data_file:dir getattr;
 allow vendor_init {
  file_type
  -exec_type
  -system_file_type
  -unlabeled
  -vendor_file_type
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
 allow vendor_init {
  file_type
  -exec_type
  -system_file_type
  -unlabeled
  -vendor_file_type
  -apex_info_file
  enforce_debugfs_restriction(`-debugfs_type')
 }:file { create getattr open read write setattr relabelfrom unlink map };
 allow vendor_init {
  file_type
  -exec_type
  -system_file_type
  -unlabeled
  -vendor_file_type
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow vendor_init {
  file_type
  -apex_mnt_dir
  -exec_type
  -system_file_type
  -unlabeled
  -vendor_file_type
 }:lnk_file { create getattr setattr relabelfrom unlink };
 allow vendor_init {
  file_type
  -exec_type
  -system_file_type
  -vendor_file_type
 }:dir_file_class_set relabelto;
 allow vendor_init dev_type:dir create_dir_perms;
 allow vendor_init dev_type:lnk_file create;
 # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
 allow vendor_init debugfs_tracing:file w_file_perms;
 # chown/chmod on pseudo files.
 allow vendor_init {
  fs_type
  -fusefs_type
  -rootfs
  -proc_uid_time_in_state
  -proc_uid_concurrent_active_time
  -proc_uid_concurrent_policy_time
  enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr map };
 allow vendor_init tracefs_type:file { open read setattr map };
 allow vendor_init {
  fs_type
  -fusefs_type
  -rootfs
  -proc_uid_time_in_state
  -proc_uid_concurrent_active_time
  -proc_uid_concurrent_policy_time
 }:dir  { open read setattr search };
 allow vendor_init dev_type:blk_file getattr;
 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
 r_dir_file(vendor_init, proc_net_type)
 allow vendor_init proc_net_type:file w_file_perms;
 allow vendor_init self:global_capability_class_set net_admin;
 # Write to /proc/sys/vm/page-cluster
 allow vendor_init proc_page_cluster:file w_file_perms;
 # Write to sysfs nodes.
 allow vendor_init sysfs_type:dir r_dir_perms;
 allow vendor_init sysfs_type:lnk_file read;
 allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
 # setfscreatecon() for labeling directories and socket files.
 allow vendor_init self:process { setfscreate };
 r_dir_file(vendor_init, vendor_file_type)
 # Vendor init can perform operations on trusted and security Extended Attributes
 allow vendor_init self:global_capability_class_set sys_admin;
 # vendor_init is using bootstrap bionic
 use_bootstrap_libs(vendor_init)
 # Get file context
 allow vendor_init file_contexts_file:file r_file_perms;
 # Allow vendor_init to (re)set nice
 allow vendor_init self:capability sys_nice;
 # chown/chmod on devices, e.g. /dev/ttyHS0
 allow vendor_init {
  dev_type
  -hw_random_device
 }:chr_file setattr;