diff --git a/prebuilts/api/28.0/private/access_vectors b/prebuilts/api/28.0/private/access_vectors new file mode 100644 index 000000000..898c884cd --- /dev/null +++ b/prebuilts/api/28.0/private/access_vectors @@ -0,0 +1,726 @@ +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + map + unlink + link + rename + execute + quotaon + mounton +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + map +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define a common for capability access vectors. +# +common cap +{ + # The capabilities are defined in include/linux/capability.h + # Capabilities >= 32 are defined in the cap2 common. + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} + +common cap2 +{ + mac_override # unused by SELinux + mac_admin # unused by SELinux + syslog + wake_alarm + block_suspend + audit_read +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + associate + quotamod + quotaget +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir + open + audit_access + execmod +} + +class file +inherits file +{ + execute_no_trans + entrypoint + execmod + open + audit_access +} + +class lnk_file +inherits file +{ + open + audit_access + execmod +} + +class chr_file +inherits file +{ + execute_no_trans + entrypoint + execmod + open + audit_access +} + +class blk_file +inherits file +{ + open + audit_access + execmod +} + +class sock_file +inherits file +{ + open + audit_access + execmod +} + +class fifo_file +inherits file +{ + open + audit_access + execmod +} + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + node_bind + name_connect +} + +class udp_socket +inherits socket +{ + node_bind +} + +class rawip_socket +inherits socket +{ + node_bind +} + +class node +{ + recvfrom + sendto +} + +class netif +{ + ingress + egress +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto +} + +class unix_dgram_socket +inherits socket + +class bpf +{ + map_create + map_read + map_write + prog_load + prog_run +} + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap + setkeycreate + setsockcreate + getrlimit +} + + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool + setsecparam + setcheckreqprot + read_policy + validate_trans +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console + module_request + module_load +} + +# +# Define the access vector interpretation for controlling capabilities +# + +class capability +inherits cap + +class capability2 +inherits cap2 + +# +# Extended Netlink classes +# +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_nflog_socket +inherits socket + +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_selinux_socket +inherits socket + +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv + nlmsg_tty_audit +} + +class netlink_dnrt_socket +inherits socket + +# Define the access vector interpretation for controlling +# access to IPSec network data by association +# +class association +{ + sendto + recvfrom + setcontext + polmatch +} + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket +inherits socket + +class appletalk_socket +inherits socket + +class packet +{ + send + recv + relabelto + flow_in # deprecated + flow_out # deprecated + forward_in + forward_out +} + +class key +{ + view + read + write + search + link + setattr + create +} + +class dccp_socket +inherits socket +{ + node_bind + name_connect +} + +class memprotect +{ + mmap_zero +} + +# network peer labels +class peer +{ + recv +} + +class kernel_service +{ + use_as_override + create_files_as +} + +class tun_socket +inherits socket +{ + attach_queue +} + +class binder +{ + impersonate + call + set_context_mgr + transfer +} + +class netlink_iscsi_socket +inherits socket + +class netlink_fib_lookup_socket +inherits socket + +class netlink_connector_socket +inherits socket + +class netlink_netfilter_socket +inherits socket + +class netlink_generic_socket +inherits socket + +class netlink_scsitransport_socket +inherits socket + +class netlink_rdma_socket +inherits socket + +class netlink_crypto_socket +inherits socket + +# +# Define the access vector interpretation for controlling capabilities +# in user namespaces +# + +class cap_userns +inherits cap + +class cap2_userns +inherits cap2 + + +# +# Define the access vector interpretation for the new socket classes +# enabled by the extended_socket_class policy capability. +# + +# +# The next two classes were previously mapped to rawip_socket and therefore +# have the same definition as rawip_socket (until further permissions +# are defined). +# +class sctp_socket +inherits socket +{ + node_bind +} + +class icmp_socket +inherits socket +{ + node_bind +} + +# +# The remaining network socket classes were previously +# mapped to the socket class and therefore have the +# same definition as socket. +# + +class ax25_socket +inherits socket + +class ipx_socket +inherits socket + +class netrom_socket +inherits socket + +class atmpvc_socket +inherits socket + +class x25_socket +inherits socket + +class rose_socket +inherits socket + +class decnet_socket +inherits socket + +class atmsvc_socket +inherits socket + +class rds_socket +inherits socket + +class irda_socket +inherits socket + +class pppox_socket +inherits socket + +class llc_socket +inherits socket + +class can_socket +inherits socket + +class tipc_socket +inherits socket + +class bluetooth_socket +inherits socket + +class iucv_socket +inherits socket + +class rxrpc_socket +inherits socket + +class isdn_socket +inherits socket + +class phonet_socket +inherits socket + +class ieee802154_socket +inherits socket + +class caif_socket +inherits socket + +class alg_socket +inherits socket + +class nfc_socket +inherits socket + +class vsock_socket +inherits socket + +class kcm_socket +inherits socket + +class qipcrtr_socket +inherits socket + +class smc_socket +inherits socket + +class property_service +{ + set +} + +class service_manager +{ + add + find + list +} + +class hwservice_manager +{ + add + find + list +} + +class keystore_key +{ + get_state + get + insert + delete + exist + list + reset + password + lock + unlock + is_empty + sign + verify + grant + duplicate + clear_uid + add_auth + user_changed + gen_unique_id +} + +class drmservice { + consumeRights + setPlaybackStatus + openDecryptSession + closeDecryptSession + initializeDecryptUnit + decrypt + finalizeDecryptUnit + pread +} diff --git a/prebuilts/api/28.0/private/adbd.te b/prebuilts/api/28.0/private/adbd.te new file mode 100644 index 000000000..77c0d7377 --- /dev/null +++ b/prebuilts/api/28.0/private/adbd.te @@ -0,0 +1,148 @@ +### ADB daemon + +typeattribute adbd coredomain; +typeattribute adbd mlstrustedsubject; + +init_daemon_domain(adbd) + +domain_auto_trans(adbd, shell_exec, shell) + +userdebug_or_eng(` + allow adbd self:process setcurrent; + allow adbd su:process dyntransition; +') + +# Do not sanitize the environment or open fds of the shell. Allow signaling +# created processes. +allow adbd shell:process { noatsecure signal }; + +# Set UID and GID to shell. Set supplementary groups. +allow adbd self:global_capability_class_set { setuid setgid }; + +# Drop capabilities from bounding set on user builds. +allow adbd self:global_capability_class_set setpcap; + +# Create and use network sockets. +net_domain(adbd) + +# Access /dev/usb-ffs/adb/ep0 +allow adbd functionfs:dir search; +allow adbd functionfs:file rw_file_perms; + +# Use a pseudo tty. +allow adbd devpts:chr_file rw_file_perms; + +# adb push/pull /data/local/tmp. +allow adbd shell_data_file:dir create_dir_perms; +allow adbd shell_data_file:file create_file_perms; + +# adb pull /data/local/traces/* +allow adbd trace_data_file:dir r_dir_perms; +allow adbd trace_data_file:file r_file_perms; + +# adb pull /data/misc/profman. +allow adbd profman_dump_data_file:dir r_dir_perms; +allow adbd profman_dump_data_file:file r_file_perms; + +# adb push/pull sdcard. +allow adbd tmpfs:dir search; +allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink +allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink +allow adbd sdcard_type:dir create_dir_perms; +allow adbd sdcard_type:file create_file_perms; + +# adb pull /data/anr/traces.txt +allow adbd anr_data_file:dir r_dir_perms; +allow adbd anr_data_file:file r_file_perms; + +# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. +set_prop(adbd, shell_prop) +set_prop(adbd, powerctl_prop) +set_prop(adbd, ffs_prop) +set_prop(adbd, exported_ffs_prop) + +# Access device logging gating property +get_prop(adbd, device_logging_prop) + +# Read device's serial number from system properties +get_prop(adbd, serialno_prop) + +# Run /system/bin/bu +allow adbd system_file:file rx_file_perms; + +# Perform binder IPC to surfaceflinger (screencap) +# XXX Run screencap in a separate domain? +binder_use(adbd) +binder_call(adbd, surfaceflinger) +# b/13188914 +allow adbd gpu_device:chr_file rw_file_perms; +allow adbd ion_device:chr_file rw_file_perms; +r_dir_file(adbd, system_file) + +# Needed for various screenshots +hal_client_domain(adbd, hal_graphics_allocator) + +# Read /data/misc/adb/adb_keys. +allow adbd adb_keys_file:dir search; +allow adbd adb_keys_file:file r_file_perms; + +userdebug_or_eng(` + # Write debugging information to /data/adb + # when persist.adb.trace_mask is set + # https://code.google.com/p/android/issues/detail?id=72895 + allow adbd adb_data_file:dir rw_dir_perms; + allow adbd adb_data_file:file create_file_perms; +') + +# ndk-gdb invokes adb forward to forward the gdbserver socket. +allow adbd app_data_file:dir search; +allow adbd app_data_file:sock_file write; +allow adbd appdomain:unix_stream_socket connectto; + +# ndk-gdb invokes adb pull of app_process, linker, and libc.so. +allow adbd zygote_exec:file r_file_perms; +allow adbd system_file:file r_file_perms; + +# Allow pulling the SELinux policy for CTS purposes +allow adbd selinuxfs:dir r_dir_perms; +allow adbd selinuxfs:file r_file_perms; +allow adbd kernel:security read_policy; +allow adbd service_contexts_file:file r_file_perms; +allow adbd file_contexts_file:file r_file_perms; +allow adbd seapp_contexts_file:file r_file_perms; +allow adbd property_contexts_file:file r_file_perms; +allow adbd sepolicy_file:file r_file_perms; + +# Allow pulling config.gz for CTS purposes +allow adbd config_gz:file r_file_perms; + +allow adbd surfaceflinger_service:service_manager find; +allow adbd bootchart_data_file:dir search; +allow adbd bootchart_data_file:file r_file_perms; + +# Allow access to external storage; we have several visible mount points under /storage +# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary +allow adbd storage_file:dir r_dir_perms; +allow adbd storage_file:lnk_file r_file_perms; +allow adbd mnt_user_file:dir r_dir_perms; +allow adbd mnt_user_file:lnk_file r_file_perms; + +# Access to /data/media. +# This should be removed if sdcardfs is modified to alter the secontext for its +# accesses to the underlying FS. +allow adbd media_rw_data_file:dir create_dir_perms; +allow adbd media_rw_data_file:file create_file_perms; + +r_dir_file(adbd, apk_data_file) + +allow adbd rootfs:dir r_dir_perms; + +### +### Neverallow rules +### + +# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever +# transitions to the shell domain (except when it crashes). In particular, we +# never want to see a transition from adbd to su (aka "adb root") +neverallow adbd { domain -crash_dump -shell }:process transition; +neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition; diff --git a/prebuilts/api/28.0/private/app.te b/prebuilts/api/28.0/private/app.te new file mode 100644 index 000000000..f3e1e2a09 --- /dev/null +++ b/prebuilts/api/28.0/private/app.te @@ -0,0 +1,7 @@ +# TODO: deal with tmpfs_domain pub/priv split properly +# Read system properties managed by zygote. +allow appdomain zygote_tmpfs:file read; + +neverallow appdomain system_server:udp_socket { + accept append bind create ioctl listen lock name_bind + relabelfrom relabelto setattr shutdown }; diff --git a/prebuilts/api/28.0/private/app_neverallows.te b/prebuilts/api/28.0/private/app_neverallows.te new file mode 100644 index 000000000..4628314f3 --- /dev/null +++ b/prebuilts/api/28.0/private/app_neverallows.te @@ -0,0 +1,264 @@ +### +### neverallow rules for untrusted app domains +### + +define(`all_untrusted_apps',`{ + ephemeral_app + isolated_app + mediaprovider + untrusted_app + untrusted_app_25 + untrusted_app_27 + untrusted_app_all + untrusted_v2_app +}') +# Receive or send uevent messages. +neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *; + +# Receive or send generic netlink messages +neverallow all_untrusted_apps domain:netlink_socket *; + +# Too much leaky information in debugfs. It's a security +# best practice to ensure these files aren't readable. +neverallow all_untrusted_apps debugfs_type:file read; + +# Do not allow untrusted apps to register services. +# Only trusted components of Android should be registering +# services. +neverallow all_untrusted_apps service_manager_type:service_manager add; + +# Do not allow untrusted apps to use VendorBinder +neverallow all_untrusted_apps vndbinder_device:chr_file *; +neverallow all_untrusted_apps vndservice_manager_type:service_manager *; + +# Do not allow untrusted apps to connect to the property service +# or set properties. b/10243159 +neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write; +neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto; +neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set; + +# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps, +# but otherwise disallow untrusted apps from reading this property. +neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read; + +# Do not allow untrusted apps to be assigned mlstrustedsubject. +# This would undermine the per-user isolation model being +# enforced via levelFrom=user in seapp_contexts and the mls +# constraints. As there is no direct way to specify a neverallow +# on attribute assignment, this relies on the fact that fork +# permission only makes sense within a domain (hence should +# never be granted to any other domain within mlstrustedsubject) +# and an untrusted app is allowed fork permission to itself. +neverallow all_untrusted_apps mlstrustedsubject:process fork; + +# Do not allow untrusted apps to hard link to any files. +# In particular, if an untrusted app links to other app data +# files, installd will not be able to guarantee the deletion +# of the linked to file. Hard links also contribute to security +# bugs, so we want to ensure untrusted apps never have this +# capability. +neverallow all_untrusted_apps file_type:file link; + +# Do not allow untrusted apps to access network MAC address file +neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms; + +# Do not allow any write access to files in /sys +neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms }; + +# Apps may never access the default sysfs label. +neverallow all_untrusted_apps sysfs:file no_rw_file_perms; + +# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the +# ioctl permission, or 3. disallow the socket class. +neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; +neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl; +neverallow all_untrusted_apps *:{ + socket netlink_socket packet_socket key_socket appletalk_socket + netlink_tcpdiag_socket netlink_nflog_socket + netlink_xfrm_socket netlink_audit_socket + netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket + netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket + netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket + netlink_rdma_socket netlink_crypto_socket +} *; + +# Do not allow untrusted apps access to /cache +neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; +neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr }; + +# Do not allow untrusted apps to create/unlink files outside of its sandbox, +# internal storage or sdcard. +# World accessible data locations allow application to fill the device +# with unaccounted for data. This data will not get removed during +# application un-installation. +neverallow { all_untrusted_apps -mediaprovider } { + fs_type + -fuse # sdcard + -sdcardfs # sdcard + -vfat + file_type + -app_data_file # The apps sandbox itself + -media_rw_data_file # Internal storage. Known that apps can + # leave artfacts here after uninstall. + -user_profile_data_file # Access to profile files + userdebug_or_eng(` + -method_trace_data_file # only on ro.debuggable=1 + -coredump_file # userdebug/eng only + ') +}:dir_file_class_set { create unlink }; + +# No untrusted component should be touching /dev/fuse +neverallow all_untrusted_apps fuse_device:chr_file *; + +# Do not allow untrusted apps to directly open tun_device +neverallow all_untrusted_apps tun_device:chr_file open; + +# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) +neverallow all_untrusted_apps anr_data_file:file ~{ open append }; +neverallow all_untrusted_apps anr_data_file:dir ~search; + +# Avoid reads from generically labeled /proc files +# Create a more specific label if needed +neverallow all_untrusted_apps { + proc + proc_asound + proc_filesystems + proc_kmsg + proc_loadavg + proc_mounts + proc_pagetypeinfo + proc_stat + proc_swaps + proc_uptime + proc_version + proc_vmallocinfo + proc_vmstat +}:file { no_rw_file_perms no_x_file_perms }; + +# Avoid all access to kernel configuration +neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms }; + +# Do not allow untrusted apps access to preloads data files +neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms; + +# Locking of files on /system could lead to denial of service attacks +# against privileged system components +neverallow all_untrusted_apps system_file:file lock; + +# Do not permit untrusted apps to perform actions on HwBinder service_manager +# other than find actions for services listed below +neverallow all_untrusted_apps *:hwservice_manager ~find; + +# Do not permit access from apps which host arbitrary code to HwBinder services, +# except those considered sufficiently safe for access from such apps. +# The two main reasons for this are: +# 1. HwBinder servers do not perform client authentication because HIDL +# currently does not expose caller UID information and, even if it did, many +# HwBinder services either operate at a level below that of apps (e.g., HALs) +# or must not rely on app identity for authorization. Thus, to be safe, the +# default assumption is that every HwBinder service treats all its clients as +# equally authorized to perform operations offered by the service. +# 2. HAL servers (a subset of HwBinder services) contain code with higher +# incidence rate of security issues than system/core components and have +# access to lower layes of the stack (all the way down to hardware) thus +# increasing opportunities for bypassing the Android security model. +# +# Safe services include: +# - same process services: because they by definition run in the process +# of the client and thus have the same access as the client domain in which +# the process runs +# - coredomain_hwservice: are considered safe because they do not pose risks +# associated with reason #2 above. +# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been +# designed for use by any domain. +# - hal_graphics_allocator_hwservice: because these operations are also offered +# by surfaceflinger Binder service, which apps are permitted to access +# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec +# Binder service which apps were permitted to access. +# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice. +neverallow all_untrusted_apps { + hwservice_manager_type + -same_process_hwservice + -coredomain_hwservice + -hal_codec2_hwservice + -hal_configstore_ISurfaceFlingerConfigs + -hal_graphics_allocator_hwservice + -hal_omx_hwservice + -hal_cas_hwservice + -hal_neuralnetworks_hwservice + -untrusted_app_visible_hwservice +}:hwservice_manager find; + +# Make sure that the following services are never accessible by untrusted_apps +neverallow all_untrusted_apps { + default_android_hwservice + hal_audio_hwservice + hal_authsecret_hwservice + hal_bluetooth_hwservice + hal_bootctl_hwservice + hal_camera_hwservice + hal_confirmationui_hwservice + hal_contexthub_hwservice + hal_drm_hwservice + hal_dumpstate_hwservice + hal_fingerprint_hwservice + hal_gatekeeper_hwservice + hal_gnss_hwservice + hal_graphics_composer_hwservice + hal_health_hwservice + hal_ir_hwservice + hal_keymaster_hwservice + hal_light_hwservice + hal_memtrack_hwservice + hal_nfc_hwservice + hal_oemlock_hwservice + hal_power_hwservice + hal_secure_element_hwservice + hal_sensors_hwservice + hal_telephony_hwservice + hal_thermal_hwservice + hal_tv_cec_hwservice + hal_tv_input_hwservice + hal_usb_hwservice + hal_vibrator_hwservice + hal_vr_hwservice + hal_weaver_hwservice + hal_wifi_hwservice + hal_wifi_offload_hwservice + hal_wifi_supplicant_hwservice + hidl_base_hwservice + system_net_netd_hwservice + thermalcallback_hwservice +}:hwservice_manager find; +# HwBinder services offered by core components (as opposed to vendor components) +# are considered somewhat safer due to point #2 above. +neverallow all_untrusted_apps { + coredomain_hwservice + -same_process_hwservice + -hidl_allocator_hwservice # Designed for use by any domain + -hidl_manager_hwservice # Designed for use by any domain + -hidl_memory_hwservice # Designed for use by any domain + -hidl_token_hwservice # Designed for use by any domain +}:hwservice_manager find; + +# SELinux is not an API for untrusted apps to use +neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms; + +# Restrict *Binder access from apps to HAL domains. We can only do this on full +# Treble devices where *Binder communications between apps and HALs are tightly +# restricted. +full_treble_only(` + neverallow all_untrusted_apps { + halserverdomain + -coredomain + -hal_configstore_server + -hal_graphics_allocator_server + -hal_cas_server + -hal_neuralnetworks_server + -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone + -untrusted_app_visible_halserver + }:binder { call transfer }; +') + +# Untrusted apps are not allowed to find mediaextractor update service. +neverallow all_untrusted_apps mediaextractor_update_service:service_manager find; diff --git a/prebuilts/api/28.0/private/asan_extract.te b/prebuilts/api/28.0/private/asan_extract.te new file mode 100644 index 000000000..1c20d78ec --- /dev/null +++ b/prebuilts/api/28.0/private/asan_extract.te @@ -0,0 +1,8 @@ +# type_transition must be private policy the domain_trans rules could stay +# public, but conceptually should go with this +# Technically not a daemon but we do want the transition from init domain to +# asan_extract to occur. +with_asan(` +typeattribute asan_extract coredomain; +init_daemon_domain(asan_extract) +') diff --git a/prebuilts/api/28.0/private/atrace.te b/prebuilts/api/28.0/private/atrace.te new file mode 100644 index 000000000..630935da0 --- /dev/null +++ b/prebuilts/api/28.0/private/atrace.te @@ -0,0 +1,46 @@ +# Domain for atrace process. +# It is spawned either by traced_probes or by init for the boottrace service. + +type atrace, domain, coredomain; +type atrace_exec, exec_type, file_type; + +# boottrace services uses /data/misc/boottrace/categories +allow atrace boottrace_data_file:dir search; +allow atrace boottrace_data_file:file r_file_perms; + +# Allow atrace to access tracefs. +allow atrace debugfs_tracing:dir r_dir_perms; +allow atrace debugfs_tracing:file rw_file_perms; +allow atrace debugfs_trace_marker:file getattr; + +# atrace sets debug.atrace.* properties +set_prop(atrace, debug_prop) + +# atrace pokes all the binder-enabled processes at startup with a +# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties. + +binder_use(atrace) +allow atrace healthd:binder call; +allow atrace surfaceflinger:binder call; +get_prop(atrace, hwservicemanager_prop) + +allow atrace { + service_manager_type + -incident_service + -netd_service + -stats_service + -dumpstate_service + -installd_service + -vold_service +}:service_manager { find }; +allow atrace servicemanager:service_manager list; + +userdebug_or_eng(` + # atrace is generally invoked as a standalone binary from shell or perf + # daemons like Perfetto traced_probes. However, in userdebug builds, there is + # a further option to run atrace as an init daemon for boot tracing. + init_daemon_domain(atrace) + + allow atrace debugfs_tracing_debug:dir r_dir_perms; + allow atrace debugfs_tracing_debug:file rw_file_perms; +') diff --git a/prebuilts/api/28.0/private/audioserver.te b/prebuilts/api/28.0/private/audioserver.te new file mode 100644 index 000000000..a82cfecbd --- /dev/null +++ b/prebuilts/api/28.0/private/audioserver.te @@ -0,0 +1,87 @@ +# audioserver - audio services daemon + +typeattribute audioserver coredomain; + +type audioserver_exec, exec_type, file_type; +init_daemon_domain(audioserver) + +r_dir_file(audioserver, sdcard_type) + +binder_use(audioserver) +binder_call(audioserver, binderservicedomain) +binder_call(audioserver, appdomain) +binder_service(audioserver) + +hal_client_domain(audioserver, hal_allocator) +# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so +r_dir_file(audioserver, system_file) + +hal_client_domain(audioserver, hal_audio) + +userdebug_or_eng(` + # used for TEE sink - pcm capture for debug. + allow audioserver media_data_file:dir create_dir_perms; + allow audioserver audioserver_data_file:dir create_dir_perms; + allow audioserver audioserver_data_file:file create_file_perms; + + # ptrace to processes in the same domain for memory leak detection + allow audioserver self:process ptrace; +') + +add_service(audioserver, audioserver_service) +allow audioserver activity_service:service_manager find; +allow audioserver appops_service:service_manager find; +allow audioserver batterystats_service:service_manager find; +allow audioserver permission_service:service_manager find; +allow audioserver power_service:service_manager find; +allow audioserver scheduling_policy_service:service_manager find; + +# Allow read/write access to bluetooth-specific properties +set_prop(audioserver, bluetooth_a2dp_offload_prop) +set_prop(audioserver, bluetooth_prop) +set_prop(audioserver, exported_bluetooth_prop) + +# Grant access to audio files to audioserver +allow audioserver audio_data_file:dir ra_dir_perms; +allow audioserver audio_data_file:file create_file_perms; + +# allow access to ALSA MMAP FDs for AAudio API +allow audioserver audio_device:chr_file { read write }; + +not_full_treble(`allow audioserver audio_device:dir r_dir_perms;') +not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;') + +# For A2DP bridge which is loaded directly into audioserver +unix_socket_connect(audioserver, bluetooth, bluetooth) + +# Allow shell commands from ADB and shell for CTS testing/dumping +allow audioserver adbd:fd use; +allow audioserver adbd:unix_stream_socket { read write }; +allow audioserver shell:fifo_file { read write }; + +# Allow shell commands from ADB for CTS testing/dumping +userdebug_or_eng(` + allow audioserver su:fd use; + allow audioserver su:fifo_file { read write }; + allow audioserver su:unix_stream_socket { read write }; +') + +### +### neverallow rules +### + +# audioserver should never execute any executable without a +# domain transition +neverallow audioserver { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/prebuilts/api/28.0/private/binder_in_vendor_violators.te b/prebuilts/api/28.0/private/binder_in_vendor_violators.te new file mode 100644 index 000000000..4a1218e1d --- /dev/null +++ b/prebuilts/api/28.0/private/binder_in_vendor_violators.te @@ -0,0 +1 @@ +allow binder_in_vendor_violators binder_device:chr_file rw_file_perms; diff --git a/prebuilts/api/28.0/private/binderservicedomain.te b/prebuilts/api/28.0/private/binderservicedomain.te new file mode 100644 index 000000000..0891ee5b2 --- /dev/null +++ b/prebuilts/api/28.0/private/binderservicedomain.te @@ -0,0 +1,22 @@ +# Rules common to all binder service domains + +# Allow dumpstate and incidentd to collect information from binder services +allow binderservicedomain { dumpstate incidentd }:fd use; +allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr }; +allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write }; +allow binderservicedomain shell_data_file:file { getattr write }; + +# Allow dumpsys to work from adb shell or the serial console +allow binderservicedomain devpts:chr_file rw_file_perms; +allow binderservicedomain console_device:chr_file rw_file_perms; + +# Receive and write to a pipe received over Binder from an app. +allow binderservicedomain appdomain:fd use; +allow binderservicedomain appdomain:fifo_file write; + +# allow all services to run permission checks +allow binderservicedomain permission_service:service_manager find; + +allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; + +use_keystore(binderservicedomain) diff --git a/prebuilts/api/28.0/private/blank_screen.te b/prebuilts/api/28.0/private/blank_screen.te new file mode 100644 index 000000000..43d273bd0 --- /dev/null +++ b/prebuilts/api/28.0/private/blank_screen.te @@ -0,0 +1,6 @@ +type blank_screen, domain, coredomain; +type blank_screen_exec, exec_type, file_type; + +init_daemon_domain(blank_screen) + +hal_client_domain(blank_screen, hal_light) diff --git a/prebuilts/api/28.0/private/blkid.te b/prebuilts/api/28.0/private/blkid.te new file mode 100644 index 000000000..090912b82 --- /dev/null +++ b/prebuilts/api/28.0/private/blkid.te @@ -0,0 +1,22 @@ +# blkid called from vold + +typeattribute blkid coredomain; + +type blkid_exec, exec_type, file_type; + +# Allowed read-only access to encrypted devices to extract UUID/label +allow blkid block_device:dir search; +allow blkid userdata_block_device:blk_file r_file_perms; +allow blkid dm_device:blk_file r_file_perms; + +# Allow stdin/out back to vold +allow blkid vold:fd use; +allow blkid vold:fifo_file { read write getattr }; + +# For blkid launched through popen() +allow blkid blkid_exec:file rx_file_perms; + +# Only allow entry from vold +neverallow { domain -vold } blkid:process transition; +neverallow * blkid:process dyntransition; +neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; diff --git a/prebuilts/api/28.0/private/blkid_untrusted.te b/prebuilts/api/28.0/private/blkid_untrusted.te new file mode 100644 index 000000000..125677157 --- /dev/null +++ b/prebuilts/api/28.0/private/blkid_untrusted.te @@ -0,0 +1,37 @@ +# blkid for untrusted block devices + +typeattribute blkid_untrusted coredomain; + +# Allowed read-only access to vold block devices to extract UUID/label +allow blkid_untrusted block_device:dir search; +allow blkid_untrusted vold_device:blk_file r_file_perms; + +# Allow stdin/out back to vold +allow blkid_untrusted vold:fd use; +allow blkid_untrusted vold:fifo_file { read write getattr }; + +# For blkid launched through popen() +allow blkid_untrusted blkid_exec:file rx_file_perms; + +### +### neverallow rules +### + +# Untrusted blkid should never be run on block devices holding sensitive data +neverallow blkid_untrusted { + boot_block_device + frp_block_device + metadata_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + userdata_block_device + cache_block_device + dm_device +}:blk_file no_rw_file_perms; + +# Only allow entry from vold via blkid binary +neverallow { domain -vold } blkid_untrusted:process transition; +neverallow * blkid_untrusted:process dyntransition; +neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; diff --git a/prebuilts/api/28.0/private/bluetooth.te b/prebuilts/api/28.0/private/bluetooth.te new file mode 100644 index 000000000..d4198553e --- /dev/null +++ b/prebuilts/api/28.0/private/bluetooth.te @@ -0,0 +1,80 @@ +# bluetooth app + +typeattribute bluetooth coredomain; + +app_domain(bluetooth) +net_domain(bluetooth) + +# Socket creation under /data/misc/bluedroid. +type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; + +# Allow access to net_admin ioctls +allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls; + +wakelock_use(bluetooth); + +# Data file accesses. +allow bluetooth bluetooth_data_file:dir create_dir_perms; +allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; +allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms; +allow bluetooth bluetooth_logs_data_file:file create_file_perms; + +# Socket creation under /data/misc/bluedroid. +allow bluetooth bluetooth_socket:sock_file create_file_perms; + +allow bluetooth self:global_capability_class_set net_admin; +allow bluetooth self:global_capability2_class_set wake_alarm; + +# tethering +allow bluetooth self:packet_socket create_socket_perms_no_ioctl; +allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service }; +allow bluetooth self:tun_socket create_socket_perms_no_ioctl; +allow bluetooth tun_device:chr_file rw_file_perms; +allow bluetooth efs_file:dir search; + +# allow Bluetooth to access uhid device for HID profile +allow bluetooth uhid_device:chr_file rw_file_perms; + +# proc access. +allow bluetooth proc_bluetooth_writable:file rw_file_perms; + +# Allow write access to bluetooth specific properties +set_prop(bluetooth, bluetooth_a2dp_offload_prop) +set_prop(bluetooth, bluetooth_prop) +set_prop(bluetooth, exported_bluetooth_prop) +set_prop(bluetooth, pan_result_prop) + +allow bluetooth audioserver_service:service_manager find; +allow bluetooth bluetooth_service:service_manager find; +allow bluetooth drmserver_service:service_manager find; +allow bluetooth mediaserver_service:service_manager find; +allow bluetooth radio_service:service_manager find; +allow bluetooth app_api_service:service_manager find; +allow bluetooth system_api_service:service_manager find; + +# already open bugreport file descriptors may be shared with +# the bluetooth process, from a file in +# /data/data/com.android.shell/files/bugreports/bugreport-*. +allow bluetooth shell_data_file:file read; + +# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice +allow bluetooth self:global_capability_class_set sys_nice; + +hal_client_domain(bluetooth, hal_bluetooth) +hal_client_domain(bluetooth, hal_telephony) + +# Bluetooth A2DP offload requires binding with audio HAL +hal_client_domain(bluetooth, hal_audio) + +read_runtime_log_tags(bluetooth) + +### +### Neverallow rules +### +### These are things that the bluetooth app should NEVER be able to do +### + +# Superuser capabilities. +# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice. +neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice}; +neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend }; diff --git a/prebuilts/api/28.0/private/bluetoothdomain.te b/prebuilts/api/28.0/private/bluetoothdomain.te new file mode 100644 index 000000000..fe4f0e663 --- /dev/null +++ b/prebuilts/api/28.0/private/bluetoothdomain.te @@ -0,0 +1,2 @@ +# Allow clients to use a socket provided by the bluetooth app. +allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; diff --git a/prebuilts/api/28.0/private/bootanim.te b/prebuilts/api/28.0/private/bootanim.te new file mode 100644 index 000000000..20ff1934b --- /dev/null +++ b/prebuilts/api/28.0/private/bootanim.te @@ -0,0 +1,6 @@ +typeattribute bootanim coredomain; + +init_daemon_domain(bootanim) + +# b/68864350 +dontaudit bootanim unlabeled:dir search; diff --git a/prebuilts/api/28.0/private/bootstat.te b/prebuilts/api/28.0/private/bootstat.te new file mode 100644 index 000000000..806144cf6 --- /dev/null +++ b/prebuilts/api/28.0/private/bootstat.te @@ -0,0 +1,3 @@ +typeattribute bootstat coredomain; + +init_daemon_domain(bootstat) diff --git a/prebuilts/api/28.0/private/bpfloader.te b/prebuilts/api/28.0/private/bpfloader.te new file mode 100644 index 000000000..e6902316d --- /dev/null +++ b/prebuilts/api/28.0/private/bpfloader.te @@ -0,0 +1,28 @@ +# bpf program loader +type bpfloader, domain; +type bpfloader_exec, exec_type, file_type; +typeattribute bpfloader coredomain; + +# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter +allow bpfloader self:global_capability_class_set net_admin; + +r_dir_file(bpfloader, cgroup_bpf) + +# These permission is required for pin bpf program for netd. +allow bpfloader fs_bpf:dir create_dir_perms; +allow bpfloader fs_bpf:file create_file_perms; +allow bpfloader devpts:chr_file { read write }; + +allow bpfloader netd:fd use; + +# Use pinned bpf map files from netd. +allow bpfloader netd:bpf { map_read map_write }; +allow bpfloader self:bpf { prog_load prog_run }; + +# Neverallow rules +neverallow { domain -bpfloader } *:bpf prog_load; +neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run; +neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans }; +neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *; +# only system_server, netd and bpfloader can read/write the bpf maps +neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write }; diff --git a/prebuilts/api/28.0/private/bufferhubd.te b/prebuilts/api/28.0/private/bufferhubd.te new file mode 100644 index 000000000..012eb2027 --- /dev/null +++ b/prebuilts/api/28.0/private/bufferhubd.te @@ -0,0 +1,3 @@ +typeattribute bufferhubd coredomain; + +init_daemon_domain(bufferhubd) diff --git a/prebuilts/api/28.0/private/bug_map b/prebuilts/api/28.0/private/bug_map new file mode 100644 index 000000000..2727cd2d3 --- /dev/null +++ b/prebuilts/api/28.0/private/bug_map @@ -0,0 +1,7 @@ +platform_app nfc_data_file dir 74331887 +priv_app system_data_file dir 72811052 +system_server crash_dump process 73128755 +untrusted_app_25 system_data_file dir 72550646 +untrusted_app_27 system_data_file dir 72550646 +usbd usbd capability 72472544 +system_server sysfs file 77816522 diff --git a/prebuilts/api/28.0/private/cameraserver.te b/prebuilts/api/28.0/private/cameraserver.te new file mode 100644 index 000000000..c16c13260 --- /dev/null +++ b/prebuilts/api/28.0/private/cameraserver.te @@ -0,0 +1,3 @@ +typeattribute cameraserver coredomain; + +init_daemon_domain(cameraserver) diff --git a/prebuilts/api/28.0/private/charger.te b/prebuilts/api/28.0/private/charger.te new file mode 100644 index 000000000..65109deff --- /dev/null +++ b/prebuilts/api/28.0/private/charger.te @@ -0,0 +1 @@ +typeattribute charger coredomain; diff --git a/prebuilts/api/28.0/private/clatd.te b/prebuilts/api/28.0/private/clatd.te new file mode 100644 index 000000000..5ba0fc5cd --- /dev/null +++ b/prebuilts/api/28.0/private/clatd.te @@ -0,0 +1 @@ +typeattribute clatd coredomain; diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.cil new file mode 100644 index 000000000..06befe0bf --- /dev/null +++ b/prebuilts/api/28.0/private/compat/26.0/26.0.cil @@ -0,0 +1,762 @@ +;; attributes removed from current policy +(typeattribute hal_wifi_keystore) +(typeattribute hal_wifi_keystore_client) +(typeattribute hal_wifi_keystore_server) + +;; types removed from current policy +(type asan_reboot_prop) +(type log_device) +(type mediacasserver_service) +(type reboot_data_file) +(type tracing_shell_writable) +(type tracing_shell_writable_debug) +(type vold_socket) +(type webview_zygote_socket) +(type rild) + +(typeattributeset accessibility_service_26_0 (accessibility_service)) +(typeattributeset account_service_26_0 (account_service)) +(typeattributeset activity_service_26_0 (activity_service)) +(typeattributeset adbd_26_0 (adbd)) +(typeattributeset adb_data_file_26_0 (adb_data_file)) +(typeattributeset adbd_socket_26_0 (adbd_socket)) +(typeattributeset adb_keys_file_26_0 (adb_keys_file)) +(typeattributeset alarm_device_26_0 (alarm_device)) +(typeattributeset alarm_service_26_0 (alarm_service)) +(typeattributeset anr_data_file_26_0 (anr_data_file)) +(typeattributeset apk_data_file_26_0 (apk_data_file)) +(typeattributeset apk_private_data_file_26_0 (apk_private_data_file)) +(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file)) +(typeattributeset apk_tmp_file_26_0 (apk_tmp_file)) +(typeattributeset app_data_file_26_0 (app_data_file)) +(typeattributeset app_fuse_file_26_0 (app_fuse_file)) +(typeattributeset app_fusefs_26_0 (app_fusefs)) +(typeattributeset appops_service_26_0 (appops_service)) +(typeattributeset appwidget_service_26_0 (appwidget_service)) +(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop)) +(typeattributeset asec_apk_file_26_0 (asec_apk_file)) +(typeattributeset asec_image_file_26_0 (asec_image_file)) +(typeattributeset asec_public_file_26_0 (asec_public_file)) +(typeattributeset ashmem_device_26_0 (ashmem_device)) +(typeattributeset assetatlas_service_26_0 (assetatlas_service)) +(typeattributeset audio_data_file_26_0 (audio_data_file)) +(typeattributeset audio_device_26_0 (audio_device)) +(typeattributeset audiohal_data_file_26_0 (audiohal_data_file)) +(typeattributeset audio_prop_26_0 (audio_prop)) +(typeattributeset audio_seq_device_26_0 (audio_seq_device)) +(typeattributeset audioserver_26_0 (audioserver)) +(typeattributeset audioserver_data_file_26_0 (audioserver_data_file)) +(typeattributeset audioserver_service_26_0 (audioserver_service)) +(typeattributeset audio_service_26_0 (audio_service)) +(typeattributeset audio_timer_device_26_0 (audio_timer_device)) +(typeattributeset autofill_service_26_0 (autofill_service)) +(typeattributeset backup_data_file_26_0 (backup_data_file)) +(typeattributeset backup_service_26_0 (backup_service)) +(typeattributeset batteryproperties_service_26_0 (batteryproperties_service)) +(typeattributeset battery_service_26_0 (battery_service)) +(typeattributeset batterystats_service_26_0 (batterystats_service)) +(typeattributeset binder_device_26_0 (binder_device)) +(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs)) +(typeattributeset blkid_26_0 (blkid)) +(typeattributeset blkid_untrusted_26_0 (blkid_untrusted)) +(typeattributeset block_device_26_0 (block_device)) +(typeattributeset bluetooth_26_0 (bluetooth)) +(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file)) +(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file)) +(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file)) +(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service)) +(typeattributeset bluetooth_prop_26_0 (bluetooth_prop)) +(typeattributeset bluetooth_service_26_0 (bluetooth_service)) +(typeattributeset bluetooth_socket_26_0 (bluetooth_socket)) +(typeattributeset bootanim_26_0 (bootanim)) +(typeattributeset bootanim_exec_26_0 (bootanim_exec)) +(typeattributeset boot_block_device_26_0 (boot_block_device)) +(typeattributeset bootchart_data_file_26_0 (bootchart_data_file)) +(typeattributeset bootstat_26_0 (bootstat)) +(typeattributeset bootstat_data_file_26_0 (bootstat_data_file)) +(typeattributeset bootstat_exec_26_0 (bootstat_exec)) +(typeattributeset boottime_prop_26_0 (boottime_prop)) +(typeattributeset boottrace_data_file_26_0 (boottrace_data_file)) +(typeattributeset bufferhubd_26_0 (bufferhubd)) +(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec)) +(typeattributeset cache_backup_file_26_0 (cache_backup_file)) +(typeattributeset cache_block_device_26_0 (cache_block_device)) +(typeattributeset cache_file_26_0 (cache_file)) +(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file)) +(typeattributeset cache_recovery_file_26_0 (cache_recovery_file)) +(typeattributeset camera_data_file_26_0 (camera_data_file)) +(typeattributeset camera_device_26_0 (camera_device)) +(typeattributeset cameraproxy_service_26_0 (cameraproxy_service)) +(typeattributeset cameraserver_26_0 (cameraserver)) +(typeattributeset cameraserver_exec_26_0 (cameraserver_exec)) +(typeattributeset cameraserver_service_26_0 (cameraserver_service)) +(typeattributeset cgroup_26_0 (cgroup)) +(typeattributeset charger_26_0 (charger)) +(typeattributeset clatd_26_0 (clatd)) +(typeattributeset clatd_exec_26_0 (clatd_exec)) +(typeattributeset clipboard_service_26_0 (clipboard_service)) +(typeattributeset commontime_management_service_26_0 (commontime_management_service)) +(typeattributeset companion_device_service_26_0 (companion_device_service)) +(typeattributeset configfs_26_0 (configfs)) +(typeattributeset config_prop_26_0 (config_prop)) +(typeattributeset connectivity_service_26_0 (connectivity_service)) +(typeattributeset connmetrics_service_26_0 (connmetrics_service)) +(typeattributeset console_device_26_0 (console_device)) +(typeattributeset consumer_ir_service_26_0 (consumer_ir_service)) +(typeattributeset content_service_26_0 (content_service)) +(typeattributeset contexthub_service_26_0 (contexthub_service)) +(typeattributeset coredump_file_26_0 (coredump_file)) +(typeattributeset country_detector_service_26_0 (country_detector_service)) +(typeattributeset coverage_service_26_0 (coverage_service)) +(typeattributeset cppreopt_prop_26_0 (cppreopt_prop)) +(typeattributeset cppreopts_26_0 (cppreopts)) +(typeattributeset cppreopts_exec_26_0 (cppreopts_exec)) +(typeattributeset cpuctl_device_26_0 (cpuctl_device)) +(typeattributeset cpuinfo_service_26_0 (cpuinfo_service)) +(typeattributeset crash_dump_26_0 (crash_dump)) +(typeattributeset crash_dump_exec_26_0 (crash_dump_exec)) +(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop)) +(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop)) +(typeattributeset ctl_console_prop_26_0 (ctl_console_prop)) +(typeattributeset ctl_default_prop_26_0 (ctl_default_prop)) +(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop)) +(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop)) +(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop)) +(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop)) +(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file)) +(typeattributeset dalvik_prop_26_0 (dalvik_prop)) +(typeattributeset dbinfo_service_26_0 (dbinfo_service)) +(typeattributeset debugfs_26_0 + ( debugfs + debugfs_wakeup_sources + )) +(typeattributeset debugfs_mmc_26_0 (debugfs_mmc)) +(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker)) +(typeattributeset debugfs_tracing_26_0 (debugfs_tracing)) +(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances)) +(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing)) +(typeattributeset debuggerd_prop_26_0 (debuggerd_prop)) +(typeattributeset debug_prop_26_0 (debug_prop)) +(typeattributeset default_android_hwservice_26_0 (default_android_hwservice)) +(typeattributeset default_android_service_26_0 (default_android_service)) +(typeattributeset default_android_vndservice_26_0 (default_android_vndservice)) +(typeattributeset default_prop_26_0 + ( default_prop pm_prop)) +(typeattributeset device_26_0 (device)) +(typeattributeset device_identifiers_service_26_0 (device_identifiers_service)) +(typeattributeset deviceidle_service_26_0 (deviceidle_service)) +(typeattributeset device_logging_prop_26_0 (device_logging_prop)) +(typeattributeset device_policy_service_26_0 (device_policy_service)) +(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service)) +(typeattributeset devpts_26_0 (devpts)) +(typeattributeset dex2oat_26_0 (dex2oat)) +(typeattributeset dex2oat_exec_26_0 (dex2oat_exec)) +(typeattributeset dhcp_26_0 (dhcp)) +(typeattributeset dhcp_data_file_26_0 (dhcp_data_file)) +(typeattributeset dhcp_exec_26_0 (dhcp_exec)) +(typeattributeset dhcp_prop_26_0 (dhcp_prop)) +(typeattributeset diskstats_service_26_0 (diskstats_service)) +(typeattributeset display_service_26_0 (display_service)) +(typeattributeset dm_device_26_0 (dm_device)) +(typeattributeset dnsmasq_26_0 (dnsmasq)) +(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec)) +(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket)) +(typeattributeset DockObserver_service_26_0 (DockObserver_service)) +(typeattributeset dreams_service_26_0 (dreams_service)) +(typeattributeset drm_data_file_26_0 (drm_data_file)) +(typeattributeset drmserver_26_0 (drmserver)) +(typeattributeset drmserver_exec_26_0 (drmserver_exec)) +(typeattributeset drmserver_service_26_0 (drmserver_service)) +(typeattributeset drmserver_socket_26_0 (drmserver_socket)) +(typeattributeset dropbox_service_26_0 (dropbox_service)) +(typeattributeset dumpstate_26_0 (dumpstate)) +(typeattributeset dumpstate_exec_26_0 (dumpstate_exec)) +(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop)) +(typeattributeset dumpstate_prop_26_0 (dumpstate_prop)) +(typeattributeset dumpstate_service_26_0 (dumpstate_service)) +(typeattributeset dumpstate_socket_26_0 (dumpstate_socket)) +(typeattributeset efs_file_26_0 (efs_file)) +(typeattributeset ephemeral_app_26_0 (ephemeral_app)) +(typeattributeset ethernet_service_26_0 (ethernet_service)) +(typeattributeset ffs_prop_26_0 (ffs_prop)) +(typeattributeset file_contexts_file_26_0 (file_contexts_file)) +(typeattributeset fingerprintd_26_0 (fingerprintd)) +(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file)) +(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec)) +(typeattributeset fingerprintd_service_26_0 (fingerprintd_service)) +(typeattributeset fingerprint_prop_26_0 (fingerprint_prop)) +(typeattributeset fingerprint_service_26_0 (fingerprint_service)) +(typeattributeset firstboot_prop_26_0 (firstboot_prop)) +(typeattributeset font_service_26_0 (font_service)) +(typeattributeset frp_block_device_26_0 (frp_block_device)) +(typeattributeset fsck_26_0 (fsck)) +(typeattributeset fsck_exec_26_0 (fsck_exec)) +(typeattributeset fscklogs_26_0 (fscklogs)) +(typeattributeset fsck_untrusted_26_0 (fsck_untrusted)) +(typeattributeset full_device_26_0 (full_device)) +(typeattributeset functionfs_26_0 (functionfs)) +(typeattributeset fuse_26_0 (fuse)) +(typeattributeset fuse_device_26_0 (fuse_device)) +(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice)) +(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice)) +(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice)) +(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket)) +(typeattributeset gatekeeperd_26_0 (gatekeeperd)) +(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file)) +(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec)) +(typeattributeset gatekeeper_service_26_0 (gatekeeper_service)) +(typeattributeset gfxinfo_service_26_0 (gfxinfo_service)) +(typeattributeset gps_control_26_0 (gps_control)) +(typeattributeset gpu_device_26_0 (gpu_device)) +(typeattributeset gpu_service_26_0 (gpu_service)) +(typeattributeset graphics_device_26_0 (graphics_device)) +(typeattributeset graphicsstats_service_26_0 (graphicsstats_service)) +(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice)) +(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice)) +(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice)) +(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice)) +(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs)) +(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice)) +(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice)) +(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice)) +(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice)) +(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service)) +(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice)) +(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice)) +(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice)) +(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice)) +(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice)) +(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice)) +(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice)) +(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice)) +(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice)) +(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice)) +(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice)) +(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice)) +(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice)) +(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice)) +(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice)) +(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice)) +(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice)) +(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice)) +(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice)) +(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice)) +(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice)) +(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice)) +(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice)) +(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice)) +(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice)) +(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice)) +(typeattributeset hardware_properties_service_26_0 (hardware_properties_service)) +(typeattributeset hardware_service_26_0 (hardware_service)) +(typeattributeset hci_attach_dev_26_0 (hci_attach_dev)) +(typeattributeset hdmi_control_service_26_0 (hdmi_control_service)) +(typeattributeset healthd_26_0 (healthd)) +(typeattributeset healthd_exec_26_0 (healthd_exec)) +(typeattributeset heapdump_data_file_26_0 (heapdump_data_file)) +(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice)) +(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice)) +(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice)) +(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice)) +(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice)) +(typeattributeset hwbinder_device_26_0 (hwbinder_device)) +(typeattributeset hw_random_device_26_0 (hw_random_device)) +(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file)) +(typeattributeset hwservicemanager_26_0 (hwservicemanager)) +(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec)) +(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop)) +(typeattributeset i2c_device_26_0 (i2c_device)) +(typeattributeset icon_file_26_0 (icon_file)) +(typeattributeset idmap_26_0 (idmap)) +(typeattributeset idmap_exec_26_0 (idmap_exec)) +(typeattributeset iio_device_26_0 (iio_device)) +(typeattributeset imms_service_26_0 (imms_service)) +(typeattributeset incident_26_0 (incident)) +(typeattributeset incidentd_26_0 (incidentd)) +(typeattributeset incident_data_file_26_0 (incident_data_file)) +(typeattributeset incident_service_26_0 (incident_service)) +(typeattributeset init_26_0 (init)) +(typeattributeset init_exec_26_0 (init_exec)) +(typeattributeset inotify_26_0 (inotify)) +(typeattributeset input_device_26_0 (input_device)) +(typeattributeset inputflinger_26_0 (inputflinger)) +(typeattributeset inputflinger_exec_26_0 (inputflinger_exec)) +(typeattributeset inputflinger_service_26_0 (inputflinger_service)) +(typeattributeset input_method_service_26_0 (input_method_service)) +(typeattributeset input_service_26_0 (input_service)) +(typeattributeset installd_26_0 (installd)) +(typeattributeset install_data_file_26_0 (install_data_file)) +(typeattributeset installd_exec_26_0 (installd_exec)) +(typeattributeset installd_service_26_0 (installd_service)) +(typeattributeset install_recovery_26_0 (install_recovery)) +(typeattributeset install_recovery_exec_26_0 (install_recovery_exec)) +(typeattributeset ion_device_26_0 (ion_device)) +(typeattributeset IProxyService_service_26_0 (IProxyService_service)) +(typeattributeset ipsec_service_26_0 (ipsec_service)) +(typeattributeset isolated_app_26_0 (isolated_app)) +(typeattributeset jobscheduler_service_26_0 (jobscheduler_service)) +(typeattributeset kernel_26_0 (kernel)) +(typeattributeset keychain_data_file_26_0 (keychain_data_file)) +(typeattributeset keychord_device_26_0 (keychord_device)) +(typeattributeset keystore_26_0 (keystore)) +(typeattributeset keystore_data_file_26_0 (keystore_data_file)) +(typeattributeset keystore_exec_26_0 (keystore_exec)) +(typeattributeset keystore_service_26_0 (keystore_service)) +(typeattributeset kmem_device_26_0 (kmem_device)) +(typeattributeset kmsg_device_26_0 (kmsg_device)) +(typeattributeset labeledfs_26_0 (labeledfs)) +(typeattributeset launcherapps_service_26_0 (launcherapps_service)) +(typeattributeset lmkd_26_0 (lmkd)) +(typeattributeset lmkd_exec_26_0 (lmkd_exec)) +(typeattributeset lmkd_socket_26_0 (lmkd_socket)) +(typeattributeset location_service_26_0 (location_service)) +(typeattributeset lock_settings_service_26_0 (lock_settings_service)) +(typeattributeset logcat_exec_26_0 (logcat_exec)) +(typeattributeset logd_26_0 (logd)) +(typeattributeset log_device_26_0 (log_device)) +(typeattributeset logd_exec_26_0 (logd_exec)) +(typeattributeset logd_prop_26_0 (logd_prop)) +(typeattributeset logdr_socket_26_0 (logdr_socket)) +(typeattributeset logd_socket_26_0 (logd_socket)) +(typeattributeset logdw_socket_26_0 (logdw_socket)) +(typeattributeset logpersist_26_0 (logpersist)) +(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop)) +(typeattributeset log_prop_26_0 (log_prop)) +(typeattributeset log_tag_prop_26_0 (log_tag_prop)) +(typeattributeset loop_control_device_26_0 (loop_control_device)) +(typeattributeset loop_device_26_0 (loop_device)) +(typeattributeset mac_perms_file_26_0 (mac_perms_file)) +(typeattributeset mdnsd_26_0 (mdnsd)) +(typeattributeset mdnsd_socket_26_0 (mdnsd_socket)) +(typeattributeset mdns_socket_26_0 (mdns_socket)) +(typeattributeset mediacasserver_service_26_0 (mediacasserver_service)) +(typeattributeset mediacodec_26_0 (mediacodec)) +(typeattributeset mediacodec_exec_26_0 (mediacodec_exec)) +(typeattributeset mediacodec_service_26_0 (mediacodec_service)) +(typeattributeset media_data_file_26_0 (media_data_file)) +(typeattributeset mediadrmserver_26_0 (mediadrmserver)) +(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec)) +(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service)) +(typeattributeset mediaextractor_26_0 (mediaextractor)) +(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec)) +(typeattributeset mediaextractor_service_26_0 (mediaextractor_service)) +(typeattributeset mediametrics_26_0 (mediametrics)) +(typeattributeset mediametrics_exec_26_0 (mediametrics_exec)) +(typeattributeset mediametrics_service_26_0 (mediametrics_service)) +(typeattributeset media_projection_service_26_0 (media_projection_service)) +(typeattributeset media_router_service_26_0 (media_router_service)) +(typeattributeset media_rw_data_file_26_0 (media_rw_data_file)) +(typeattributeset mediaserver_26_0 (mediaserver)) +(typeattributeset mediaserver_exec_26_0 (mediaserver_exec)) +(typeattributeset mediaserver_service_26_0 (mediaserver_service)) +(typeattributeset media_session_service_26_0 (media_session_service)) +(typeattributeset meminfo_service_26_0 (meminfo_service)) +(typeattributeset metadata_block_device_26_0 (metadata_block_device)) +(typeattributeset method_trace_data_file_26_0 (method_trace_data_file)) +(typeattributeset midi_service_26_0 (midi_service)) +(typeattributeset misc_block_device_26_0 (misc_block_device)) +(typeattributeset misc_logd_file_26_0 (misc_logd_file)) +(typeattributeset misc_user_data_file_26_0 (misc_user_data_file)) +(typeattributeset mmc_prop_26_0 (mmc_prop)) +(typeattributeset mnt_expand_file_26_0 (mnt_expand_file)) +(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file)) +(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file)) +(typeattributeset mnt_user_file_26_0 (mnt_user_file)) +(typeattributeset modprobe_26_0 (modprobe)) +(typeattributeset mount_service_26_0 (mount_service)) +(typeattributeset mqueue_26_0 (mqueue)) +(typeattributeset mtd_device_26_0 (mtd_device)) +(typeattributeset mtp_26_0 (mtp)) +(typeattributeset mtp_device_26_0 (mtp_device)) +(typeattributeset mtpd_socket_26_0 (mtpd_socket)) +(typeattributeset mtp_exec_26_0 (mtp_exec)) +(typeattributeset nativetest_data_file_26_0 (nativetest_data_file)) +(typeattributeset netd_26_0 (netd)) +(typeattributeset net_data_file_26_0 (net_data_file)) +(typeattributeset netd_exec_26_0 (netd_exec)) +(typeattributeset netd_listener_service_26_0 (netd_listener_service)) +(typeattributeset net_dns_prop_26_0 (net_dns_prop)) +(typeattributeset netd_service_26_0 (netd_service)) +(typeattributeset netd_socket_26_0 (netd_socket)) +(typeattributeset netif_26_0 (netif)) +(typeattributeset netpolicy_service_26_0 (netpolicy_service)) +(typeattributeset net_radio_prop_26_0 (net_radio_prop)) +(typeattributeset netstats_service_26_0 (netstats_service)) +(typeattributeset netutils_wrapper_26_0 (netutils_wrapper)) +(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec)) +(typeattributeset network_management_service_26_0 (network_management_service)) +(typeattributeset network_score_service_26_0 (network_score_service)) +(typeattributeset network_time_update_service_26_0 (network_time_update_service)) +(typeattributeset nfc_26_0 (nfc)) +(typeattributeset nfc_data_file_26_0 (nfc_data_file)) +(typeattributeset nfc_device_26_0 (nfc_device)) +(typeattributeset nfc_prop_26_0 (nfc_prop)) +(typeattributeset nfc_service_26_0 (nfc_service)) +(typeattributeset node_26_0 (node)) +(typeattributeset notification_service_26_0 (notification_service)) +(typeattributeset null_device_26_0 (null_device)) +(typeattributeset oemfs_26_0 (oemfs)) +(typeattributeset oem_lock_service_26_0 (oem_lock_service)) +(typeattributeset ota_data_file_26_0 (ota_data_file)) +(typeattributeset otadexopt_service_26_0 (otadexopt_service)) +(typeattributeset ota_package_file_26_0 (ota_package_file)) +(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot)) +(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec)) +(typeattributeset otapreopt_slot_26_0 (otapreopt_slot)) +(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec)) +(typeattributeset overlay_prop_26_0 (overlay_prop)) +(typeattributeset overlay_service_26_0 (overlay_service)) +(typeattributeset owntty_device_26_0 (owntty_device)) +(typeattributeset package_service_26_0 (package_service)) +(typeattributeset pan_result_prop_26_0 (pan_result_prop)) +(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket)) +(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket)) +(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir)) +(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket)) +(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket)) +(typeattributeset pdx_display_dir_26_0 (pdx_display_dir)) +(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket)) +(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket)) +(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket)) +(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket)) +(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket)) +(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket)) +(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket)) +(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket)) +(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir)) +(typeattributeset performanced_26_0 (performanced)) +(typeattributeset performanced_exec_26_0 (performanced_exec)) +(typeattributeset perfprofd_26_0 (perfprofd)) +(typeattributeset perfprofd_data_file_26_0 (perfprofd_data_file)) +(typeattributeset perfprofd_exec_26_0 (perfprofd_exec)) +(typeattributeset permission_service_26_0 (permission_service)) +(typeattributeset persist_debug_prop_26_0 (persist_debug_prop)) +(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service)) +(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop)) +(typeattributeset pinner_service_26_0 (pinner_service)) +(typeattributeset pipefs_26_0 (pipefs)) +(typeattributeset platform_app_26_0 (platform_app)) +(typeattributeset pmsg_device_26_0 (pmsg_device)) +(typeattributeset port_26_0 (port)) +(typeattributeset port_device_26_0 (port_device)) +(typeattributeset postinstall_26_0 (postinstall)) +(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt)) +(typeattributeset postinstall_file_26_0 (postinstall_file)) +(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir)) +(typeattributeset powerctl_prop_26_0 (powerctl_prop)) +(typeattributeset power_service_26_0 (power_service)) +(typeattributeset ppp_26_0 (ppp)) +(typeattributeset ppp_device_26_0 (ppp_device)) +(typeattributeset ppp_exec_26_0 (ppp_exec)) +(typeattributeset preloads_data_file_26_0 (preloads_data_file)) +(typeattributeset preloads_media_file_26_0 (preloads_media_file)) +(typeattributeset preopt2cachename_26_0 (preopt2cachename)) +(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec)) +(typeattributeset print_service_26_0 (print_service)) +(typeattributeset priv_app_26_0 (mediaprovider priv_app)) +(typeattributeset proc_26_0 + ( proc + proc_abi + proc_asound + proc_buddyinfo + proc_cmdline + proc_dirty + proc_diskstats + proc_extra_free_kbytes + proc_filesystems + proc_hostname + proc_hung_task + proc_kmsg + proc_loadavg + proc_max_map_count + proc_min_free_order_shift + proc_mounts + proc_page_cluster + proc_pagetypeinfo + proc_panic + proc_pid_max + proc_pipe_conf + proc_random + proc_sched + proc_swaps + proc_uid_time_in_state + proc_uid_concurrent_active_time + proc_uid_concurrent_policy_time + proc_uid_cpupower + proc_uptime + proc_version + proc_vmallocinfo + proc_vmstat)) +(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable)) +(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo)) +(typeattributeset proc_drop_caches_26_0 (proc_drop_caches)) +(typeattributeset processinfo_service_26_0 (processinfo_service)) +(typeattributeset proc_interrupts_26_0 (proc_interrupts)) +(typeattributeset proc_iomem_26_0 (proc_iomem)) +(typeattributeset proc_meminfo_26_0 (proc_meminfo)) +(typeattributeset proc_misc_26_0 (proc_misc)) +(typeattributeset proc_modules_26_0 (proc_modules)) +(typeattributeset proc_net_26_0 + ( proc_net + proc_qtaguid_stat)) +(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory)) +(typeattributeset proc_perf_26_0 (proc_perf)) +(typeattributeset proc_security_26_0 (proc_security)) +(typeattributeset proc_stat_26_0 (proc_stat)) +(typeattributeset procstats_service_26_0 (procstats_service)) +(typeattributeset proc_sysrq_26_0 (proc_sysrq)) +(typeattributeset proc_timer_26_0 (proc_timer)) +(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers)) +(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid)) +(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat)) +(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats)) +(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set)) +(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo)) +(typeattributeset profman_26_0 (profman)) +(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file)) +(typeattributeset profman_exec_26_0 (profman_exec)) +(typeattributeset properties_device_26_0 (properties_device)) +(typeattributeset properties_serial_26_0 (properties_serial)) +(typeattributeset property_contexts_file_26_0 (property_contexts_file)) +(typeattributeset property_data_file_26_0 (property_data_file)) +(typeattributeset property_socket_26_0 (property_socket)) +(typeattributeset pstorefs_26_0 (pstorefs)) +(typeattributeset ptmx_device_26_0 (ptmx_device)) +(typeattributeset qtaguid_device_26_0 (qtaguid_device)) +(typeattributeset qtaguid_proc_26_0 (qtaguid_proc)) +(typeattributeset racoon_26_0 (racoon)) +(typeattributeset racoon_exec_26_0 (racoon_exec)) +(typeattributeset racoon_socket_26_0 (racoon_socket)) +(typeattributeset radio_26_0 (radio)) +(typeattributeset radio_data_file_26_0 (radio_data_file)) +(typeattributeset radio_device_26_0 (radio_device)) +(typeattributeset radio_prop_26_0 (radio_prop)) +(typeattributeset radio_service_26_0 (radio_service)) +(typeattributeset ram_device_26_0 (ram_device)) +(typeattributeset random_device_26_0 (random_device)) +(typeattributeset reboot_data_file_26_0 (reboot_data_file)) +(typeattributeset recovery_26_0 (recovery)) +(typeattributeset recovery_block_device_26_0 (recovery_block_device)) +(typeattributeset recovery_data_file_26_0 (recovery_data_file)) +(typeattributeset recovery_persist_26_0 (recovery_persist)) +(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec)) +(typeattributeset recovery_refresh_26_0 (recovery_refresh)) +(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec)) +(typeattributeset recovery_service_26_0 (recovery_service)) +(typeattributeset registry_service_26_0 (registry_service)) +(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file)) +(typeattributeset restorecon_prop_26_0 (restorecon_prop)) +(typeattributeset restrictions_service_26_0 (restrictions_service)) +(typeattributeset rild_26_0 (rild)) +(typeattributeset rild_debug_socket_26_0 (rild_debug_socket)) +(typeattributeset rild_socket_26_0 (rild_socket)) +(typeattributeset ringtone_file_26_0 (ringtone_file)) +(typeattributeset root_block_device_26_0 (root_block_device)) +(typeattributeset rootfs_26_0 (rootfs)) +(typeattributeset rpmsg_device_26_0 (rpmsg_device)) +(typeattributeset rtc_device_26_0 (rtc_device)) +(typeattributeset rttmanager_service_26_0 (rttmanager_service)) +(typeattributeset runas_26_0 (runas)) +(typeattributeset runas_exec_26_0 (runas_exec)) +(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file)) +(typeattributeset safemode_prop_26_0 (safemode_prop)) +(typeattributeset same_process_hal_file_26_0 (same_process_hal_file)) +(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service)) +(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service)) +(typeattributeset sdcardd_26_0 (sdcardd)) +(typeattributeset sdcardd_exec_26_0 (sdcardd_exec)) +(typeattributeset sdcardfs_26_0 (sdcardfs)) +(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file)) +(typeattributeset search_service_26_0 (search_service)) +(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service)) +(typeattributeset selinuxfs_26_0 (selinuxfs)) +(typeattributeset sensors_device_26_0 (sensors_device)) +(typeattributeset sensorservice_service_26_0 (sensorservice_service)) +(typeattributeset sepolicy_file_26_0 (sepolicy_file)) +(typeattributeset serial_device_26_0 (serial_device)) +(typeattributeset serialno_prop_26_0 (serialno_prop)) +(typeattributeset serial_service_26_0 (serial_service)) +(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file)) +(typeattributeset servicediscovery_service_26_0 (servicediscovery_service)) +(typeattributeset servicemanager_26_0 (servicemanager)) +(typeattributeset servicemanager_exec_26_0 (servicemanager_exec)) +(typeattributeset settings_service_26_0 (settings_service)) +(typeattributeset sgdisk_26_0 (sgdisk)) +(typeattributeset sgdisk_exec_26_0 (sgdisk_exec)) +(typeattributeset shared_relro_26_0 (shared_relro)) +(typeattributeset shared_relro_file_26_0 (shared_relro_file)) +(typeattributeset shell_26_0 (shell)) +(typeattributeset shell_data_file_26_0 (shell_data_file)) +(typeattributeset shell_exec_26_0 (shell_exec)) +(typeattributeset shell_prop_26_0 (shell_prop)) +(typeattributeset shm_26_0 (shm)) +(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons)) +(typeattributeset shortcut_service_26_0 (shortcut_service)) +(typeattributeset slideshow_26_0 (slideshow)) +(typeattributeset socket_device_26_0 (socket_device)) +(typeattributeset sockfs_26_0 (sockfs)) +(typeattributeset statusbar_service_26_0 (statusbar_service)) +(typeattributeset storaged_service_26_0 (storaged_service)) +(typeattributeset storage_file_26_0 (storage_file)) +(typeattributeset storagestats_service_26_0 (storagestats_service)) +(typeattributeset storage_stub_file_26_0 (storage_stub_file)) +(typeattributeset su_26_0 (su)) +(typeattributeset su_exec_26_0 (su_exec)) +(typeattributeset surfaceflinger_26_0 (surfaceflinger)) +(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service)) +(typeattributeset swap_block_device_26_0 (swap_block_device)) +(typeattributeset sysfs_26_0 + ( sysfs + sysfs_android_usb + sysfs_dm + sysfs_dt_firmware_android + sysfs_ipv4 + sysfs_kernel_notes + sysfs_net + sysfs_power + sysfs_rtc + sysfs_switch + sysfs_wakeup_reasons)) +(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo)) +(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable)) +(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu)) +(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom)) +(typeattributeset sysfs_leds_26_0 (sysfs_leds)) +(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller)) +(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address)) +(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable)) +(typeattributeset sysfs_thermal_26_0 (sysfs_thermal)) +(typeattributeset sysfs_uio_26_0 (sysfs_uio)) +(typeattributeset sysfs_usb_26_0 (sysfs_usb)) +(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator)) +(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock)) +(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath)) +(typeattributeset sysfs_zram_26_0 (sysfs_zram)) +(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent)) +(typeattributeset system_app_26_0 (system_app)) +(typeattributeset system_app_data_file_26_0 (system_app_data_file)) +(typeattributeset system_app_service_26_0 (system_app_service)) +(typeattributeset system_block_device_26_0 (system_block_device)) +(typeattributeset system_data_file_26_0 + ( system_data_file + vendor_data_file)) +(typeattributeset system_file_26_0 (system_file)) +(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file)) +(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket)) +(typeattributeset system_prop_26_0 (system_prop)) +(typeattributeset system_radio_prop_26_0 (system_radio_prop)) +(typeattributeset system_server_26_0 (system_server)) +(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice)) +(typeattributeset system_wpa_socket_26_0 (system_wpa_socket)) +(typeattributeset task_service_26_0 (task_service)) +(typeattributeset tee_26_0 (tee)) +(typeattributeset tee_data_file_26_0 (tee_data_file)) +(typeattributeset tee_device_26_0 (tee_device)) +(typeattributeset telecom_service_26_0 (telecom_service)) +(typeattributeset textclassification_service_26_0 (textclassification_service)) +(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file)) +(typeattributeset textservices_service_26_0 (textservices_service)) +(typeattributeset tmpfs_26_0 (tmpfs)) +(typeattributeset tombstoned_26_0 (tombstoned)) +(typeattributeset tombstone_data_file_26_0 (tombstone_data_file)) +(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket)) +(typeattributeset tombstoned_exec_26_0 (tombstoned_exec)) +(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket)) +(typeattributeset toolbox_26_0 (toolbox)) +(typeattributeset toolbox_exec_26_0 (toolbox_exec)) +(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable)) +(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug)) +(typeattributeset trust_service_26_0 (trust_service)) +(typeattributeset tty_device_26_0 (tty_device)) +(typeattributeset tun_device_26_0 (tun_device)) +(typeattributeset tv_input_service_26_0 (tv_input_service)) +(typeattributeset tzdatacheck_26_0 (tzdatacheck)) +(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec)) +(typeattributeset ueventd_26_0 (ueventd)) +(typeattributeset uhid_device_26_0 (uhid_device)) +(typeattributeset uimode_service_26_0 (uimode_service)) +(typeattributeset uio_device_26_0 (uio_device)) +(typeattributeset uncrypt_26_0 (uncrypt)) +(typeattributeset uncrypt_exec_26_0 (uncrypt_exec)) +(typeattributeset uncrypt_socket_26_0 (uncrypt_socket)) +(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file)) +(typeattributeset unlabeled_26_0 (unlabeled)) +(typeattributeset untrusted_app_25_26_0 (untrusted_app_25)) +(typeattributeset untrusted_app_26_0 + ( untrusted_app + untrusted_app_27)) +(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app)) +(typeattributeset update_engine_26_0 (update_engine)) +(typeattributeset update_engine_data_file_26_0 (update_engine_data_file)) +(typeattributeset update_engine_exec_26_0 (update_engine_exec)) +(typeattributeset update_engine_service_26_0 (update_engine_service)) +(typeattributeset updatelock_service_26_0 (updatelock_service)) +(typeattributeset update_verifier_26_0 (update_verifier)) +(typeattributeset update_verifier_exec_26_0 (update_verifier_exec)) +(typeattributeset usagestats_service_26_0 (usagestats_service)) +(typeattributeset usbaccessory_device_26_0 (usbaccessory_device)) +(typeattributeset usb_device_26_0 (usb_device)) +(typeattributeset usbfs_26_0 (usbfs)) +(typeattributeset usb_service_26_0 (usb_service)) +(typeattributeset userdata_block_device_26_0 (userdata_block_device)) +(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper)) +(typeattributeset user_profile_data_file_26_0 (user_profile_data_file)) +(typeattributeset user_service_26_0 (user_service)) +(typeattributeset vcs_device_26_0 (vcs_device)) +(typeattributeset vdc_26_0 (vdc)) +(typeattributeset vdc_exec_26_0 (vdc_exec)) +(typeattributeset vendor_app_file_26_0 (vendor_app_file)) +(typeattributeset vendor_configs_file_26_0 (vendor_configs_file)) +(typeattributeset vendor_file_26_0 (vendor_file)) +(typeattributeset vendor_framework_file_26_0 (vendor_framework_file)) +(typeattributeset vendor_hal_file_26_0 (vendor_hal_file)) +(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file)) +(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec)) +(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec)) +(typeattributeset vfat_26_0 (vfat)) +(typeattributeset vibrator_service_26_0 (vibrator_service)) +(typeattributeset video_device_26_0 (video_device)) +(typeattributeset virtual_touchpad_26_0 (virtual_touchpad)) +(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec)) +(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service)) +(typeattributeset vndbinder_device_26_0 (vndbinder_device)) +(typeattributeset vndk_sp_file_26_0 (vndk_sp_file)) +(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file)) +(typeattributeset vndservicemanager_26_0 (vndservicemanager)) +(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service)) +(typeattributeset vold_26_0 (vold)) +(typeattributeset vold_data_file_26_0 (vold_data_file)) +(typeattributeset vold_device_26_0 (vold_device)) +(typeattributeset vold_exec_26_0 (vold_exec)) +(typeattributeset vold_prop_26_0 (vold_prop)) +(typeattributeset vold_socket_26_0 (vold_socket)) +(typeattributeset vpn_data_file_26_0 (vpn_data_file)) +(typeattributeset vr_hwc_26_0 (vr_hwc)) +(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec)) +(typeattributeset vr_hwc_service_26_0 (vr_hwc_service)) +(typeattributeset vr_manager_service_26_0 (vr_manager_service)) +(typeattributeset wallpaper_file_26_0 (wallpaper_file)) +(typeattributeset wallpaper_service_26_0 (wallpaper_service)) +(typeattributeset watchdogd_26_0 (watchdogd)) +(typeattributeset watchdog_device_26_0 (watchdog_device)) +(typeattributeset webviewupdate_service_26_0 (webviewupdate_service)) +(typeattributeset webview_zygote_26_0 (webview_zygote)) +(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec)) +(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket)) +(typeattributeset wifiaware_service_26_0 (wifiaware_service)) +(typeattributeset wificond_26_0 (wificond)) +(typeattributeset wificond_exec_26_0 (wificond_exec)) +(typeattributeset wificond_service_26_0 (wificond_service)) +(typeattributeset wifi_data_file_26_0 (wifi_data_file)) +(typeattributeset wifi_log_prop_26_0 (wifi_log_prop)) +(typeattributeset wifip2p_service_26_0 (wifip2p_service)) +(typeattributeset wifi_prop_26_0 (wifi_prop)) +(typeattributeset wifiscanner_service_26_0 (wifiscanner_service)) +(typeattributeset wifi_service_26_0 (wifi_service)) +(typeattributeset window_service_26_0 (window_service)) +(typeattributeset wpa_socket_26_0 (wpa_socket)) +(typeattributeset zero_device_26_0 (zero_device)) +(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file)) +(typeattributeset zygote_26_0 (zygote)) +(typeattributeset zygote_exec_26_0 (zygote_exec)) +(typeattributeset zygote_socket_26_0 (zygote_socket)) diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil new file mode 100644 index 000000000..71c7a0074 --- /dev/null +++ b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil @@ -0,0 +1,139 @@ +;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(typeattribute new_objects) +(typeattributeset new_objects + ( adbd_exec + atrace + binder_calls_stats_service + bootloader_boot_reason_prop + blank_screen + blank_screen_exec + blank_screen_tmpfs + bluetooth_a2dp_offload_prop + bpfloader + bpfloader_exec + broadcastradio_service + cgroup_bpf + crossprofileapps_service + e2fs + e2fs_exec + exported_bluetooth_prop + exported_config_prop + exported_dalvik_prop + exported_default_prop + exported_dumpstate_prop + exported_ffs_prop + exported_fingerprint_prop + exported_overlay_prop + exported_pm_prop + exported_radio_prop + exported_secure_prop + exported_system_prop + exported_system_radio_prop + exported_vold_prop + exported_wifi_prop + exported2_config_prop + exported2_default_prop + exported2_radio_prop + exported2_system_prop + exported2_vold_prop + exported3_default_prop + exported3_radio_prop + exported3_system_prop + fingerprint_vendor_data_file + fs_bpf + hal_authsecret_hwservice + hal_broadcastradio_hwservice + hal_cas_hwservice + hal_codec2_hwservice + hal_confirmationui_hwservice + hal_lowpan_hwservice + hal_neuralnetworks_hwservice + hal_secure_element_hwservice + hal_tetheroffload_hwservice + hal_wifi_hostapd_hwservice + hal_usb_gadget_hwservice + hal_wifi_offload_hwservice + incident_helper + incident_helper_exec + kmsg_debug_device + last_boot_reason_prop + lowpan_device + lowpan_prop + lowpan_service + mediaextractor_update_service + mediaprovider_tmpfs + netd_stable_secret_prop + network_watchlist_data_file + network_watchlist_service + package_native_service + perfetto + perfetto_exec + perfetto_tmpfs + perfetto_traces_data_file + perfprofd_service + property_info + secure_element + secure_element_device + secure_element_tmpfs + secure_element_service + slice_service + stats + stats_data_file + stats_exec + stats_service + statsd + statsd_exec + statsd_tmpfs + statscompanion_service + storaged_data_file + sysfs_fs_ext4_features + system_boot_reason_prop + system_net_netd_hwservice + system_update_service + thermal_service + thermalcallback_hwservice + thermalserviced + thermalserviced_exec + thermalserviced_tmpfs + timezone_service + tombstoned_java_trace_socket + tombstone_wifi_data_file + trace_data_file + traceur_app + traceur_app_tmpfs + traced + traced_consumer_socket + traced_exec + traced_probes + traced_probes_exec + traced_probes_tmpfs + traced_producer_socket + traced_tmpfs + untrusted_app_all_devpts + update_engine_log_data_file + vendor_default_prop + usbd + usbd_exec + usbd_tmpfs + vendor_init + vendor_shell + vold_metadata_file + vold_prepare_subdirs + vold_prepare_subdirs_exec + vold_service + wpantund + wpantund_exec + wpantund_service + wpantund_tmpfs + wm_trace_data_file)) + +;; private_objects - a collection of types that were labeled differently in +;; older policy, but that should not remain accessible to vendor policy. +;; Thus, these types are also not mapped, but recorded for checkapi tests +(typeattribute priv_objects) +(typeattributeset priv_objects + ( adbd_tmpfs + untrusted_app_27_tmpfs + )) diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.cil new file mode 100644 index 000000000..52760f791 --- /dev/null +++ b/prebuilts/api/28.0/private/compat/27.0/27.0.cil @@ -0,0 +1,1484 @@ +;; types removed from current policy +(type webview_zygote_socket) +(type reboot_data_file) +(type vold_socket) +(type rild) + +(expandtypeattribute (accessibility_service_27_0) true) +(expandtypeattribute (account_service_27_0) true) +(expandtypeattribute (activity_service_27_0) true) +(expandtypeattribute (adbd_27_0) true) +(expandtypeattribute (adb_data_file_27_0) true) +(expandtypeattribute (adbd_exec_27_0) true) +(expandtypeattribute (adbd_socket_27_0) true) +(expandtypeattribute (adb_keys_file_27_0) true) +(expandtypeattribute (alarm_device_27_0) true) +(expandtypeattribute (alarm_service_27_0) true) +(expandtypeattribute (anr_data_file_27_0) true) +(expandtypeattribute (apk_data_file_27_0) true) +(expandtypeattribute (apk_private_data_file_27_0) true) +(expandtypeattribute (apk_private_tmp_file_27_0) true) +(expandtypeattribute (apk_tmp_file_27_0) true) +(expandtypeattribute (app_data_file_27_0) true) +(expandtypeattribute (app_fuse_file_27_0) true) +(expandtypeattribute (app_fusefs_27_0) true) +(expandtypeattribute (appops_service_27_0) true) +(expandtypeattribute (appwidget_service_27_0) true) +(expandtypeattribute (asec_apk_file_27_0) true) +(expandtypeattribute (asec_image_file_27_0) true) +(expandtypeattribute (asec_public_file_27_0) true) +(expandtypeattribute (ashmem_device_27_0) true) +(expandtypeattribute (assetatlas_service_27_0) true) +(expandtypeattribute (audio_data_file_27_0) true) +(expandtypeattribute (audio_device_27_0) true) +(expandtypeattribute (audiohal_data_file_27_0) true) +(expandtypeattribute (audio_prop_27_0) true) +(expandtypeattribute (audio_seq_device_27_0) true) +(expandtypeattribute (audioserver_27_0) true) +(expandtypeattribute (audioserver_data_file_27_0) true) +(expandtypeattribute (audioserver_service_27_0) true) +(expandtypeattribute (audio_service_27_0) true) +(expandtypeattribute (audio_timer_device_27_0) true) +(expandtypeattribute (autofill_service_27_0) true) +(expandtypeattribute (backup_data_file_27_0) true) +(expandtypeattribute (backup_service_27_0) true) +(expandtypeattribute (batteryproperties_service_27_0) true) +(expandtypeattribute (battery_service_27_0) true) +(expandtypeattribute (batterystats_service_27_0) true) +(expandtypeattribute (binder_device_27_0) true) +(expandtypeattribute (binfmt_miscfs_27_0) true) +(expandtypeattribute (blkid_27_0) true) +(expandtypeattribute (blkid_untrusted_27_0) true) +(expandtypeattribute (block_device_27_0) true) +(expandtypeattribute (bluetooth_27_0) true) +(expandtypeattribute (bluetooth_data_file_27_0) true) +(expandtypeattribute (bluetooth_efs_file_27_0) true) +(expandtypeattribute (bluetooth_logs_data_file_27_0) true) +(expandtypeattribute (bluetooth_manager_service_27_0) true) +(expandtypeattribute (bluetooth_prop_27_0) true) +(expandtypeattribute (bluetooth_service_27_0) true) +(expandtypeattribute (bluetooth_socket_27_0) true) +(expandtypeattribute (bootanim_27_0) true) +(expandtypeattribute (bootanim_exec_27_0) true) +(expandtypeattribute (boot_block_device_27_0) true) +(expandtypeattribute (bootchart_data_file_27_0) true) +(expandtypeattribute (bootstat_27_0) true) +(expandtypeattribute (bootstat_data_file_27_0) true) +(expandtypeattribute (bootstat_exec_27_0) true) +(expandtypeattribute (boottime_prop_27_0) true) +(expandtypeattribute (boottrace_data_file_27_0) true) +(expandtypeattribute (broadcastradio_service_27_0) true) +(expandtypeattribute (bufferhubd_27_0) true) +(expandtypeattribute (bufferhubd_exec_27_0) true) +(expandtypeattribute (cache_backup_file_27_0) true) +(expandtypeattribute (cache_block_device_27_0) true) +(expandtypeattribute (cache_file_27_0) true) +(expandtypeattribute (cache_private_backup_file_27_0) true) +(expandtypeattribute (cache_recovery_file_27_0) true) +(expandtypeattribute (camera_data_file_27_0) true) +(expandtypeattribute (camera_device_27_0) true) +(expandtypeattribute (cameraproxy_service_27_0) true) +(expandtypeattribute (cameraserver_27_0) true) +(expandtypeattribute (cameraserver_exec_27_0) true) +(expandtypeattribute (cameraserver_service_27_0) true) +(expandtypeattribute (cgroup_27_0) true) +(expandtypeattribute (charger_27_0) true) +(expandtypeattribute (clatd_27_0) true) +(expandtypeattribute (clatd_exec_27_0) true) +(expandtypeattribute (clipboard_service_27_0) true) +(expandtypeattribute (commontime_management_service_27_0) true) +(expandtypeattribute (companion_device_service_27_0) true) +(expandtypeattribute (configfs_27_0) true) +(expandtypeattribute (config_prop_27_0) true) +(expandtypeattribute (connectivity_service_27_0) true) +(expandtypeattribute (connmetrics_service_27_0) true) +(expandtypeattribute (console_device_27_0) true) +(expandtypeattribute (consumer_ir_service_27_0) true) +(expandtypeattribute (content_service_27_0) true) +(expandtypeattribute (contexthub_service_27_0) true) +(expandtypeattribute (coredump_file_27_0) true) +(expandtypeattribute (country_detector_service_27_0) true) +(expandtypeattribute (coverage_service_27_0) true) +(expandtypeattribute (cppreopt_prop_27_0) true) +(expandtypeattribute (cppreopts_27_0) true) +(expandtypeattribute (cppreopts_exec_27_0) true) +(expandtypeattribute (cpuctl_device_27_0) true) +(expandtypeattribute (cpuinfo_service_27_0) true) +(expandtypeattribute (crash_dump_27_0) true) +(expandtypeattribute (crash_dump_exec_27_0) true) +(expandtypeattribute (ctl_bootanim_prop_27_0) true) +(expandtypeattribute (ctl_bugreport_prop_27_0) true) +(expandtypeattribute (ctl_console_prop_27_0) true) +(expandtypeattribute (ctl_default_prop_27_0) true) +(expandtypeattribute (ctl_dumpstate_prop_27_0) true) +(expandtypeattribute (ctl_fuse_prop_27_0) true) +(expandtypeattribute (ctl_mdnsd_prop_27_0) true) +(expandtypeattribute (ctl_rildaemon_prop_27_0) true) +(expandtypeattribute (dalvikcache_data_file_27_0) true) +(expandtypeattribute (dalvik_prop_27_0) true) +(expandtypeattribute (dbinfo_service_27_0) true) +(expandtypeattribute (debugfs_27_0) true) +(expandtypeattribute (debugfs_mmc_27_0) true) +(expandtypeattribute (debugfs_trace_marker_27_0) true) +(expandtypeattribute (debugfs_tracing_27_0) true) +(expandtypeattribute (debugfs_tracing_debug_27_0) true) +(expandtypeattribute (debugfs_tracing_instances_27_0) true) +(expandtypeattribute (debugfs_wifi_tracing_27_0) true) +(expandtypeattribute (debuggerd_prop_27_0) true) +(expandtypeattribute (debug_prop_27_0) true) +(expandtypeattribute (default_android_hwservice_27_0) true) +(expandtypeattribute (default_android_service_27_0) true) +(expandtypeattribute (default_android_vndservice_27_0) true) +(expandtypeattribute (default_prop_27_0) true) +(expandtypeattribute (device_27_0) true) +(expandtypeattribute (device_identifiers_service_27_0) true) +(expandtypeattribute (deviceidle_service_27_0) true) +(expandtypeattribute (device_logging_prop_27_0) true) +(expandtypeattribute (device_policy_service_27_0) true) +(expandtypeattribute (devicestoragemonitor_service_27_0) true) +(expandtypeattribute (devpts_27_0) true) +(expandtypeattribute (dex2oat_27_0) true) +(expandtypeattribute (dex2oat_exec_27_0) true) +(expandtypeattribute (dhcp_27_0) true) +(expandtypeattribute (dhcp_data_file_27_0) true) +(expandtypeattribute (dhcp_exec_27_0) true) +(expandtypeattribute (dhcp_prop_27_0) true) +(expandtypeattribute (diskstats_service_27_0) true) +(expandtypeattribute (display_service_27_0) true) +(expandtypeattribute (dm_device_27_0) true) +(expandtypeattribute (dnsmasq_27_0) true) +(expandtypeattribute (dnsmasq_exec_27_0) true) +(expandtypeattribute (dnsproxyd_socket_27_0) true) +(expandtypeattribute (DockObserver_service_27_0) true) +(expandtypeattribute (dreams_service_27_0) true) +(expandtypeattribute (drm_data_file_27_0) true) +(expandtypeattribute (drmserver_27_0) true) +(expandtypeattribute (drmserver_exec_27_0) true) +(expandtypeattribute (drmserver_service_27_0) true) +(expandtypeattribute (drmserver_socket_27_0) true) +(expandtypeattribute (dropbox_service_27_0) true) +(expandtypeattribute (dumpstate_27_0) true) +(expandtypeattribute (dumpstate_exec_27_0) true) +(expandtypeattribute (dumpstate_options_prop_27_0) true) +(expandtypeattribute (dumpstate_prop_27_0) true) +(expandtypeattribute (dumpstate_service_27_0) true) +(expandtypeattribute (dumpstate_socket_27_0) true) +(expandtypeattribute (e2fs_27_0) true) +(expandtypeattribute (e2fs_exec_27_0) true) +(expandtypeattribute (efs_file_27_0) true) +(expandtypeattribute (ephemeral_app_27_0) true) +(expandtypeattribute (ethernet_service_27_0) true) +(expandtypeattribute (ffs_prop_27_0) true) +(expandtypeattribute (file_contexts_file_27_0) true) +(expandtypeattribute (fingerprintd_27_0) true) +(expandtypeattribute (fingerprintd_data_file_27_0) true) +(expandtypeattribute (fingerprintd_exec_27_0) true) +(expandtypeattribute (fingerprintd_service_27_0) true) +(expandtypeattribute (fingerprint_prop_27_0) true) +(expandtypeattribute (fingerprint_service_27_0) true) +(expandtypeattribute (firstboot_prop_27_0) true) +(expandtypeattribute (font_service_27_0) true) +(expandtypeattribute (frp_block_device_27_0) true) +(expandtypeattribute (fsck_27_0) true) +(expandtypeattribute (fsck_exec_27_0) true) +(expandtypeattribute (fscklogs_27_0) true) +(expandtypeattribute (fsck_untrusted_27_0) true) +(expandtypeattribute (full_device_27_0) true) +(expandtypeattribute (functionfs_27_0) true) +(expandtypeattribute (fuse_27_0) true) +(expandtypeattribute (fuse_device_27_0) true) +(expandtypeattribute (fwk_display_hwservice_27_0) true) +(expandtypeattribute (fwk_scheduler_hwservice_27_0) true) +(expandtypeattribute (fwk_sensor_hwservice_27_0) true) +(expandtypeattribute (fwmarkd_socket_27_0) true) +(expandtypeattribute (gatekeeperd_27_0) true) +(expandtypeattribute (gatekeeper_data_file_27_0) true) +(expandtypeattribute (gatekeeperd_exec_27_0) true) +(expandtypeattribute (gatekeeper_service_27_0) true) +(expandtypeattribute (gfxinfo_service_27_0) true) +(expandtypeattribute (gps_control_27_0) true) +(expandtypeattribute (gpu_device_27_0) true) +(expandtypeattribute (gpu_service_27_0) true) +(expandtypeattribute (graphics_device_27_0) true) +(expandtypeattribute (graphicsstats_service_27_0) true) +(expandtypeattribute (hal_audio_hwservice_27_0) true) +(expandtypeattribute (hal_bluetooth_hwservice_27_0) true) +(expandtypeattribute (hal_bootctl_hwservice_27_0) true) +(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true) +(expandtypeattribute (hal_camera_hwservice_27_0) true) +(expandtypeattribute (hal_cas_hwservice_27_0) true) +(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true) +(expandtypeattribute (hal_contexthub_hwservice_27_0) true) +(expandtypeattribute (hal_drm_hwservice_27_0) true) +(expandtypeattribute (hal_dumpstate_hwservice_27_0) true) +(expandtypeattribute (hal_fingerprint_hwservice_27_0) true) +(expandtypeattribute (hal_fingerprint_service_27_0) true) +(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true) +(expandtypeattribute (hal_gnss_hwservice_27_0) true) +(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true) +(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true) +(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true) +(expandtypeattribute (hal_health_hwservice_27_0) true) +(expandtypeattribute (hal_ir_hwservice_27_0) true) +(expandtypeattribute (hal_keymaster_hwservice_27_0) true) +(expandtypeattribute (hal_light_hwservice_27_0) true) +(expandtypeattribute (hal_memtrack_hwservice_27_0) true) +(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true) +(expandtypeattribute (hal_nfc_hwservice_27_0) true) +(expandtypeattribute (hal_oemlock_hwservice_27_0) true) +(expandtypeattribute (hal_omx_hwservice_27_0) true) +(expandtypeattribute (hal_power_hwservice_27_0) true) +(expandtypeattribute (hal_renderscript_hwservice_27_0) true) +(expandtypeattribute (hal_sensors_hwservice_27_0) true) +(expandtypeattribute (hal_telephony_hwservice_27_0) true) +(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true) +(expandtypeattribute (hal_thermal_hwservice_27_0) true) +(expandtypeattribute (hal_tv_cec_hwservice_27_0) true) +(expandtypeattribute (hal_tv_input_hwservice_27_0) true) +(expandtypeattribute (hal_usb_hwservice_27_0) true) +(expandtypeattribute (hal_vibrator_hwservice_27_0) true) +(expandtypeattribute (hal_vr_hwservice_27_0) true) +(expandtypeattribute (hal_weaver_hwservice_27_0) true) +(expandtypeattribute (hal_wifi_hwservice_27_0) true) +(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true) +(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true) +(expandtypeattribute (hardware_properties_service_27_0) true) +(expandtypeattribute (hardware_service_27_0) true) +(expandtypeattribute (hci_attach_dev_27_0) true) +(expandtypeattribute (hdmi_control_service_27_0) true) +(expandtypeattribute (healthd_27_0) true) +(expandtypeattribute (healthd_exec_27_0) true) +(expandtypeattribute (heapdump_data_file_27_0) true) +(expandtypeattribute (hidl_allocator_hwservice_27_0) true) +(expandtypeattribute (hidl_base_hwservice_27_0) true) +(expandtypeattribute (hidl_manager_hwservice_27_0) true) +(expandtypeattribute (hidl_memory_hwservice_27_0) true) +(expandtypeattribute (hidl_token_hwservice_27_0) true) +(expandtypeattribute (hwbinder_device_27_0) true) +(expandtypeattribute (hw_random_device_27_0) true) +(expandtypeattribute (hwservice_contexts_file_27_0) true) +(expandtypeattribute (hwservicemanager_27_0) true) +(expandtypeattribute (hwservicemanager_exec_27_0) true) +(expandtypeattribute (hwservicemanager_prop_27_0) true) +(expandtypeattribute (i2c_device_27_0) true) +(expandtypeattribute (icon_file_27_0) true) +(expandtypeattribute (idmap_27_0) true) +(expandtypeattribute (idmap_exec_27_0) true) +(expandtypeattribute (iio_device_27_0) true) +(expandtypeattribute (imms_service_27_0) true) +(expandtypeattribute (incident_27_0) true) +(expandtypeattribute (incidentd_27_0) true) +(expandtypeattribute (incident_data_file_27_0) true) +(expandtypeattribute (incident_service_27_0) true) +(expandtypeattribute (init_27_0) true) +(expandtypeattribute (init_exec_27_0) true) +(expandtypeattribute (inotify_27_0) true) +(expandtypeattribute (input_device_27_0) true) +(expandtypeattribute (inputflinger_27_0) true) +(expandtypeattribute (inputflinger_exec_27_0) true) +(expandtypeattribute (inputflinger_service_27_0) true) +(expandtypeattribute (input_method_service_27_0) true) +(expandtypeattribute (input_service_27_0) true) +(expandtypeattribute (installd_27_0) true) +(expandtypeattribute (install_data_file_27_0) true) +(expandtypeattribute (installd_exec_27_0) true) +(expandtypeattribute (installd_service_27_0) true) +(expandtypeattribute (install_recovery_27_0) true) +(expandtypeattribute (install_recovery_exec_27_0) true) +(expandtypeattribute (ion_device_27_0) true) +(expandtypeattribute (IProxyService_service_27_0) true) +(expandtypeattribute (ipsec_service_27_0) true) +(expandtypeattribute (isolated_app_27_0) true) +(expandtypeattribute (jobscheduler_service_27_0) true) +(expandtypeattribute (kernel_27_0) true) +(expandtypeattribute (keychain_data_file_27_0) true) +(expandtypeattribute (keychord_device_27_0) true) +(expandtypeattribute (keystore_27_0) true) +(expandtypeattribute (keystore_data_file_27_0) true) +(expandtypeattribute (keystore_exec_27_0) true) +(expandtypeattribute (keystore_service_27_0) true) +(expandtypeattribute (kmem_device_27_0) true) +(expandtypeattribute (kmsg_debug_device_27_0) true) +(expandtypeattribute (kmsg_device_27_0) true) +(expandtypeattribute (labeledfs_27_0) true) +(expandtypeattribute (launcherapps_service_27_0) true) +(expandtypeattribute (lmkd_27_0) true) +(expandtypeattribute (lmkd_exec_27_0) true) +(expandtypeattribute (lmkd_socket_27_0) true) +(expandtypeattribute (location_service_27_0) true) +(expandtypeattribute (lock_settings_service_27_0) true) +(expandtypeattribute (logcat_exec_27_0) true) +(expandtypeattribute (logd_27_0) true) +(expandtypeattribute (logd_exec_27_0) true) +(expandtypeattribute (logd_prop_27_0) true) +(expandtypeattribute (logdr_socket_27_0) true) +(expandtypeattribute (logd_socket_27_0) true) +(expandtypeattribute (logdw_socket_27_0) true) +(expandtypeattribute (logpersist_27_0) true) +(expandtypeattribute (logpersistd_logging_prop_27_0) true) +(expandtypeattribute (log_prop_27_0) true) +(expandtypeattribute (log_tag_prop_27_0) true) +(expandtypeattribute (loop_control_device_27_0) true) +(expandtypeattribute (loop_device_27_0) true) +(expandtypeattribute (mac_perms_file_27_0) true) +(expandtypeattribute (mdnsd_27_0) true) +(expandtypeattribute (mdnsd_socket_27_0) true) +(expandtypeattribute (mdns_socket_27_0) true) +(expandtypeattribute (mediacodec_27_0) true) +(expandtypeattribute (mediacodec_exec_27_0) true) +(expandtypeattribute (mediacodec_service_27_0) true) +(expandtypeattribute (media_data_file_27_0) true) +(expandtypeattribute (mediadrmserver_27_0) true) +(expandtypeattribute (mediadrmserver_exec_27_0) true) +(expandtypeattribute (mediadrmserver_service_27_0) true) +(expandtypeattribute (mediaextractor_27_0) true) +(expandtypeattribute (mediaextractor_exec_27_0) true) +(expandtypeattribute (mediaextractor_service_27_0) true) +(expandtypeattribute (mediametrics_27_0) true) +(expandtypeattribute (mediametrics_exec_27_0) true) +(expandtypeattribute (mediametrics_service_27_0) true) +(expandtypeattribute (media_projection_service_27_0) true) +(expandtypeattribute (mediaprovider_27_0) true) +(expandtypeattribute (media_router_service_27_0) true) +(expandtypeattribute (media_rw_data_file_27_0) true) +(expandtypeattribute (mediaserver_27_0) true) +(expandtypeattribute (mediaserver_exec_27_0) true) +(expandtypeattribute (mediaserver_service_27_0) true) +(expandtypeattribute (media_session_service_27_0) true) +(expandtypeattribute (meminfo_service_27_0) true) +(expandtypeattribute (metadata_block_device_27_0) true) +(expandtypeattribute (method_trace_data_file_27_0) true) +(expandtypeattribute (midi_service_27_0) true) +(expandtypeattribute (misc_block_device_27_0) true) +(expandtypeattribute (misc_logd_file_27_0) true) +(expandtypeattribute (misc_user_data_file_27_0) true) +(expandtypeattribute (mmc_prop_27_0) true) +(expandtypeattribute (mnt_expand_file_27_0) true) +(expandtypeattribute (mnt_media_rw_file_27_0) true) +(expandtypeattribute (mnt_media_rw_stub_file_27_0) true) +(expandtypeattribute (mnt_user_file_27_0) true) +(expandtypeattribute (modprobe_27_0) true) +(expandtypeattribute (mount_service_27_0) true) +(expandtypeattribute (mqueue_27_0) true) +(expandtypeattribute (mtd_device_27_0) true) +(expandtypeattribute (mtp_27_0) true) +(expandtypeattribute (mtp_device_27_0) true) +(expandtypeattribute (mtpd_socket_27_0) true) +(expandtypeattribute (mtp_exec_27_0) true) +(expandtypeattribute (nativetest_data_file_27_0) true) +(expandtypeattribute (netd_27_0) true) +(expandtypeattribute (net_data_file_27_0) true) +(expandtypeattribute (netd_exec_27_0) true) +(expandtypeattribute (netd_listener_service_27_0) true) +(expandtypeattribute (net_dns_prop_27_0) true) +(expandtypeattribute (netd_service_27_0) true) +(expandtypeattribute (netd_socket_27_0) true) +(expandtypeattribute (netd_stable_secret_prop_27_0) true) +(expandtypeattribute (netif_27_0) true) +(expandtypeattribute (netpolicy_service_27_0) true) +(expandtypeattribute (net_radio_prop_27_0) true) +(expandtypeattribute (netstats_service_27_0) true) +(expandtypeattribute (netutils_wrapper_27_0) true) +(expandtypeattribute (netutils_wrapper_exec_27_0) true) +(expandtypeattribute (network_management_service_27_0) true) +(expandtypeattribute (network_score_service_27_0) true) +(expandtypeattribute (network_time_update_service_27_0) true) +(expandtypeattribute (nfc_27_0) true) +(expandtypeattribute (nfc_data_file_27_0) true) +(expandtypeattribute (nfc_device_27_0) true) +(expandtypeattribute (nfc_prop_27_0) true) +(expandtypeattribute (nfc_service_27_0) true) +(expandtypeattribute (node_27_0) true) +(expandtypeattribute (nonplat_service_contexts_file_27_0) true) +(expandtypeattribute (notification_service_27_0) true) +(expandtypeattribute (null_device_27_0) true) +(expandtypeattribute (oemfs_27_0) true) +(expandtypeattribute (oem_lock_service_27_0) true) +(expandtypeattribute (ota_data_file_27_0) true) +(expandtypeattribute (otadexopt_service_27_0) true) +(expandtypeattribute (ota_package_file_27_0) true) +(expandtypeattribute (otapreopt_chroot_27_0) true) +(expandtypeattribute (otapreopt_chroot_exec_27_0) true) +(expandtypeattribute (otapreopt_slot_27_0) true) +(expandtypeattribute (otapreopt_slot_exec_27_0) true) +(expandtypeattribute (overlay_prop_27_0) true) +(expandtypeattribute (overlay_service_27_0) true) +(expandtypeattribute (owntty_device_27_0) true) +(expandtypeattribute (package_native_service_27_0) true) +(expandtypeattribute (package_service_27_0) true) +(expandtypeattribute (pan_result_prop_27_0) true) +(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true) +(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_bufferhub_dir_27_0) true) +(expandtypeattribute (pdx_display_client_channel_socket_27_0) true) +(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_display_dir_27_0) true) +(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true) +(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true) +(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true) +(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true) +(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true) +(expandtypeattribute (pdx_performance_dir_27_0) true) +(expandtypeattribute (performanced_27_0) true) +(expandtypeattribute (performanced_exec_27_0) true) +(expandtypeattribute (perfprofd_27_0) true) +(expandtypeattribute (perfprofd_data_file_27_0) true) +(expandtypeattribute (perfprofd_exec_27_0) true) +(expandtypeattribute (permission_service_27_0) true) +(expandtypeattribute (persist_debug_prop_27_0) true) +(expandtypeattribute (persistent_data_block_service_27_0) true) +(expandtypeattribute (persistent_properties_ready_prop_27_0) true) +(expandtypeattribute (pinner_service_27_0) true) +(expandtypeattribute (pipefs_27_0) true) +(expandtypeattribute (platform_app_27_0) true) +(expandtypeattribute (pmsg_device_27_0) true) +(expandtypeattribute (port_27_0) true) +(expandtypeattribute (port_device_27_0) true) +(expandtypeattribute (postinstall_27_0) true) +(expandtypeattribute (postinstall_dexopt_27_0) true) +(expandtypeattribute (postinstall_file_27_0) true) +(expandtypeattribute (postinstall_mnt_dir_27_0) true) +(expandtypeattribute (powerctl_prop_27_0) true) +(expandtypeattribute (power_service_27_0) true) +(expandtypeattribute (ppp_27_0) true) +(expandtypeattribute (ppp_device_27_0) true) +(expandtypeattribute (ppp_exec_27_0) true) +(expandtypeattribute (preloads_data_file_27_0) true) +(expandtypeattribute (preloads_media_file_27_0) true) +(expandtypeattribute (preopt2cachename_27_0) true) +(expandtypeattribute (preopt2cachename_exec_27_0) true) +(expandtypeattribute (print_service_27_0) true) +(expandtypeattribute (priv_app_27_0) true) +(expandtypeattribute (proc_27_0) true) +(expandtypeattribute (proc_bluetooth_writable_27_0) true) +(expandtypeattribute (proc_cpuinfo_27_0) true) +(expandtypeattribute (proc_drop_caches_27_0) true) +(expandtypeattribute (processinfo_service_27_0) true) +(expandtypeattribute (proc_interrupts_27_0) true) +(expandtypeattribute (proc_iomem_27_0) true) +(expandtypeattribute (proc_meminfo_27_0) true) +(expandtypeattribute (proc_misc_27_0) true) +(expandtypeattribute (proc_modules_27_0) true) +(expandtypeattribute (proc_net_27_0) true) +(expandtypeattribute (proc_overcommit_memory_27_0) true) +(expandtypeattribute (proc_perf_27_0) true) +(expandtypeattribute (proc_security_27_0) true) +(expandtypeattribute (proc_stat_27_0) true) +(expandtypeattribute (procstats_service_27_0) true) +(expandtypeattribute (proc_sysrq_27_0) true) +(expandtypeattribute (proc_timer_27_0) true) +(expandtypeattribute (proc_tty_drivers_27_0) true) +(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true) +(expandtypeattribute (proc_uid_cputime_showstat_27_0) true) +(expandtypeattribute (proc_uid_io_stats_27_0) true) +(expandtypeattribute (proc_uid_procstat_set_27_0) true) +(expandtypeattribute (proc_uid_time_in_state_27_0) true) +(expandtypeattribute (proc_zoneinfo_27_0) true) +(expandtypeattribute (profman_27_0) true) +(expandtypeattribute (profman_dump_data_file_27_0) true) +(expandtypeattribute (profman_exec_27_0) true) +(expandtypeattribute (properties_device_27_0) true) +(expandtypeattribute (properties_serial_27_0) true) +(expandtypeattribute (property_contexts_file_27_0) true) +(expandtypeattribute (property_data_file_27_0) true) +(expandtypeattribute (property_socket_27_0) true) +(expandtypeattribute (pstorefs_27_0) true) +(expandtypeattribute (ptmx_device_27_0) true) +(expandtypeattribute (qtaguid_device_27_0) true) +(expandtypeattribute (qtaguid_proc_27_0) true) +(expandtypeattribute (racoon_27_0) true) +(expandtypeattribute (racoon_exec_27_0) true) +(expandtypeattribute (racoon_socket_27_0) true) +(expandtypeattribute (radio_27_0) true) +(expandtypeattribute (radio_data_file_27_0) true) +(expandtypeattribute (radio_device_27_0) true) +(expandtypeattribute (radio_prop_27_0) true) +(expandtypeattribute (radio_service_27_0) true) +(expandtypeattribute (ram_device_27_0) true) +(expandtypeattribute (random_device_27_0) true) +(expandtypeattribute (reboot_data_file_27_0) true) +(expandtypeattribute (recovery_27_0) true) +(expandtypeattribute (recovery_block_device_27_0) true) +(expandtypeattribute (recovery_data_file_27_0) true) +(expandtypeattribute (recovery_persist_27_0) true) +(expandtypeattribute (recovery_persist_exec_27_0) true) +(expandtypeattribute (recovery_refresh_27_0) true) +(expandtypeattribute (recovery_refresh_exec_27_0) true) +(expandtypeattribute (recovery_service_27_0) true) +(expandtypeattribute (registry_service_27_0) true) +(expandtypeattribute (resourcecache_data_file_27_0) true) +(expandtypeattribute (restorecon_prop_27_0) true) +(expandtypeattribute (restrictions_service_27_0) true) +(expandtypeattribute (rild_27_0) true) +(expandtypeattribute (rild_debug_socket_27_0) true) +(expandtypeattribute (rild_socket_27_0) true) +(expandtypeattribute (ringtone_file_27_0) true) +(expandtypeattribute (root_block_device_27_0) true) +(expandtypeattribute (rootfs_27_0) true) +(expandtypeattribute (rpmsg_device_27_0) true) +(expandtypeattribute (rtc_device_27_0) true) +(expandtypeattribute (rttmanager_service_27_0) true) +(expandtypeattribute (runas_27_0) true) +(expandtypeattribute (runas_exec_27_0) true) +(expandtypeattribute (runtime_event_log_tags_file_27_0) true) +(expandtypeattribute (safemode_prop_27_0) true) +(expandtypeattribute (same_process_hal_file_27_0) true) +(expandtypeattribute (samplingprofiler_service_27_0) true) +(expandtypeattribute (scheduling_policy_service_27_0) true) +(expandtypeattribute (sdcardd_27_0) true) +(expandtypeattribute (sdcardd_exec_27_0) true) +(expandtypeattribute (sdcardfs_27_0) true) +(expandtypeattribute (seapp_contexts_file_27_0) true) +(expandtypeattribute (search_service_27_0) true) +(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true) +(expandtypeattribute (selinuxfs_27_0) true) +(expandtypeattribute (sensors_device_27_0) true) +(expandtypeattribute (sensorservice_service_27_0) true) +(expandtypeattribute (sepolicy_file_27_0) true) +(expandtypeattribute (serial_device_27_0) true) +(expandtypeattribute (serialno_prop_27_0) true) +(expandtypeattribute (serial_service_27_0) true) +(expandtypeattribute (service_contexts_file_27_0) true) +(expandtypeattribute (servicediscovery_service_27_0) true) +(expandtypeattribute (servicemanager_27_0) true) +(expandtypeattribute (servicemanager_exec_27_0) true) +(expandtypeattribute (settings_service_27_0) true) +(expandtypeattribute (sgdisk_27_0) true) +(expandtypeattribute (sgdisk_exec_27_0) true) +(expandtypeattribute (shared_relro_27_0) true) +(expandtypeattribute (shared_relro_file_27_0) true) +(expandtypeattribute (shell_27_0) true) +(expandtypeattribute (shell_data_file_27_0) true) +(expandtypeattribute (shell_exec_27_0) true) +(expandtypeattribute (shell_prop_27_0) true) +(expandtypeattribute (shm_27_0) true) +(expandtypeattribute (shortcut_manager_icons_27_0) true) +(expandtypeattribute (shortcut_service_27_0) true) +(expandtypeattribute (slideshow_27_0) true) +(expandtypeattribute (socket_device_27_0) true) +(expandtypeattribute (sockfs_27_0) true) +(expandtypeattribute (statusbar_service_27_0) true) +(expandtypeattribute (storaged_service_27_0) true) +(expandtypeattribute (storage_file_27_0) true) +(expandtypeattribute (storagestats_service_27_0) true) +(expandtypeattribute (storage_stub_file_27_0) true) +(expandtypeattribute (su_27_0) true) +(expandtypeattribute (su_exec_27_0) true) +(expandtypeattribute (surfaceflinger_27_0) true) +(expandtypeattribute (surfaceflinger_service_27_0) true) +(expandtypeattribute (swap_block_device_27_0) true) +(expandtypeattribute (sysfs_27_0) true) +(expandtypeattribute (sysfs_batteryinfo_27_0) true) +(expandtypeattribute (sysfs_bluetooth_writable_27_0) true) +(expandtypeattribute (sysfs_devices_system_cpu_27_0) true) +(expandtypeattribute (sysfs_fs_ext4_features_27_0) true) +(expandtypeattribute (sysfs_hwrandom_27_0) true) +(expandtypeattribute (sysfs_leds_27_0) true) +(expandtypeattribute (sysfs_lowmemorykiller_27_0) true) +(expandtypeattribute (sysfs_mac_address_27_0) true) +(expandtypeattribute (sysfs_nfc_power_writable_27_0) true) +(expandtypeattribute (sysfs_thermal_27_0) true) +(expandtypeattribute (sysfs_uio_27_0) true) +(expandtypeattribute (sysfs_usb_27_0) true) +(expandtypeattribute (sysfs_usermodehelper_27_0) true) +(expandtypeattribute (sysfs_vibrator_27_0) true) +(expandtypeattribute (sysfs_wake_lock_27_0) true) +(expandtypeattribute (sysfs_wlan_fwpath_27_0) true) +(expandtypeattribute (sysfs_zram_27_0) true) +(expandtypeattribute (sysfs_zram_uevent_27_0) true) +(expandtypeattribute (system_app_27_0) true) +(expandtypeattribute (system_app_data_file_27_0) true) +(expandtypeattribute (system_app_service_27_0) true) +(expandtypeattribute (system_block_device_27_0) true) +(expandtypeattribute (system_data_file_27_0) true) +(expandtypeattribute (system_file_27_0) true) +(expandtypeattribute (systemkeys_data_file_27_0) true) +(expandtypeattribute (system_ndebug_socket_27_0) true) +(expandtypeattribute (system_net_netd_hwservice_27_0) true) +(expandtypeattribute (system_prop_27_0) true) +(expandtypeattribute (system_radio_prop_27_0) true) +(expandtypeattribute (system_server_27_0) true) +(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true) +(expandtypeattribute (system_wpa_socket_27_0) true) +(expandtypeattribute (task_service_27_0) true) +(expandtypeattribute (tee_27_0) true) +(expandtypeattribute (tee_data_file_27_0) true) +(expandtypeattribute (tee_device_27_0) true) +(expandtypeattribute (telecom_service_27_0) true) +(expandtypeattribute (textclassification_service_27_0) true) +(expandtypeattribute (textclassifier_data_file_27_0) true) +(expandtypeattribute (textservices_service_27_0) true) +(expandtypeattribute (thermalcallback_hwservice_27_0) true) +(expandtypeattribute (thermal_service_27_0) true) +(expandtypeattribute (thermalserviced_27_0) true) +(expandtypeattribute (thermalserviced_exec_27_0) true) +(expandtypeattribute (timezone_service_27_0) true) +(expandtypeattribute (tmpfs_27_0) true) +(expandtypeattribute (tombstoned_27_0) true) +(expandtypeattribute (tombstone_data_file_27_0) true) +(expandtypeattribute (tombstoned_crash_socket_27_0) true) +(expandtypeattribute (tombstoned_exec_27_0) true) +(expandtypeattribute (tombstoned_intercept_socket_27_0) true) +(expandtypeattribute (tombstoned_java_trace_socket_27_0) true) +(expandtypeattribute (toolbox_27_0) true) +(expandtypeattribute (toolbox_exec_27_0) true) +(expandtypeattribute (trust_service_27_0) true) +(expandtypeattribute (tty_device_27_0) true) +(expandtypeattribute (tun_device_27_0) true) +(expandtypeattribute (tv_input_service_27_0) true) +(expandtypeattribute (tzdatacheck_27_0) true) +(expandtypeattribute (tzdatacheck_exec_27_0) true) +(expandtypeattribute (ueventd_27_0) true) +(expandtypeattribute (uhid_device_27_0) true) +(expandtypeattribute (uimode_service_27_0) true) +(expandtypeattribute (uio_device_27_0) true) +(expandtypeattribute (uncrypt_27_0) true) +(expandtypeattribute (uncrypt_exec_27_0) true) +(expandtypeattribute (uncrypt_socket_27_0) true) +(expandtypeattribute (unencrypted_data_file_27_0) true) +(expandtypeattribute (unlabeled_27_0) true) +(expandtypeattribute (untrusted_app_25_27_0) true) +(expandtypeattribute (untrusted_app_27_0) true) +(expandtypeattribute (untrusted_v2_app_27_0) true) +(expandtypeattribute (update_engine_27_0) true) +(expandtypeattribute (update_engine_data_file_27_0) true) +(expandtypeattribute (update_engine_exec_27_0) true) +(expandtypeattribute (update_engine_service_27_0) true) +(expandtypeattribute (updatelock_service_27_0) true) +(expandtypeattribute (update_verifier_27_0) true) +(expandtypeattribute (update_verifier_exec_27_0) true) +(expandtypeattribute (usagestats_service_27_0) true) +(expandtypeattribute (usbaccessory_device_27_0) true) +(expandtypeattribute (usb_device_27_0) true) +(expandtypeattribute (usbfs_27_0) true) +(expandtypeattribute (usb_service_27_0) true) +(expandtypeattribute (userdata_block_device_27_0) true) +(expandtypeattribute (usermodehelper_27_0) true) +(expandtypeattribute (user_profile_data_file_27_0) true) +(expandtypeattribute (user_service_27_0) true) +(expandtypeattribute (vcs_device_27_0) true) +(expandtypeattribute (vdc_27_0) true) +(expandtypeattribute (vdc_exec_27_0) true) +(expandtypeattribute (vendor_app_file_27_0) true) +(expandtypeattribute (vendor_configs_file_27_0) true) +(expandtypeattribute (vendor_file_27_0) true) +(expandtypeattribute (vendor_framework_file_27_0) true) +(expandtypeattribute (vendor_hal_file_27_0) true) +(expandtypeattribute (vendor_overlay_file_27_0) true) +(expandtypeattribute (vendor_shell_exec_27_0) true) +(expandtypeattribute (vendor_toolbox_exec_27_0) true) +(expandtypeattribute (vfat_27_0) true) +(expandtypeattribute (vibrator_service_27_0) true) +(expandtypeattribute (video_device_27_0) true) +(expandtypeattribute (virtual_touchpad_27_0) true) +(expandtypeattribute (virtual_touchpad_exec_27_0) true) +(expandtypeattribute (virtual_touchpad_service_27_0) true) +(expandtypeattribute (vndbinder_device_27_0) true) +(expandtypeattribute (vndk_sp_file_27_0) true) +(expandtypeattribute (vndservice_contexts_file_27_0) true) +(expandtypeattribute (vndservicemanager_27_0) true) +(expandtypeattribute (voiceinteraction_service_27_0) true) +(expandtypeattribute (vold_27_0) true) +(expandtypeattribute (vold_data_file_27_0) true) +(expandtypeattribute (vold_device_27_0) true) +(expandtypeattribute (vold_exec_27_0) true) +(expandtypeattribute (vold_prop_27_0) true) +(expandtypeattribute (vold_socket_27_0) true) +(expandtypeattribute (vpn_data_file_27_0) true) +(expandtypeattribute (vr_hwc_27_0) true) +(expandtypeattribute (vr_hwc_exec_27_0) true) +(expandtypeattribute (vr_hwc_service_27_0) true) +(expandtypeattribute (vr_manager_service_27_0) true) +(expandtypeattribute (wallpaper_file_27_0) true) +(expandtypeattribute (wallpaper_service_27_0) true) +(expandtypeattribute (watchdogd_27_0) true) +(expandtypeattribute (watchdog_device_27_0) true) +(expandtypeattribute (webviewupdate_service_27_0) true) +(expandtypeattribute (webview_zygote_27_0) true) +(expandtypeattribute (webview_zygote_exec_27_0) true) +(expandtypeattribute (webview_zygote_socket_27_0) true) +(expandtypeattribute (wifiaware_service_27_0) true) +(expandtypeattribute (wificond_27_0) true) +(expandtypeattribute (wificond_exec_27_0) true) +(expandtypeattribute (wificond_service_27_0) true) +(expandtypeattribute (wifi_data_file_27_0) true) +(expandtypeattribute (wifi_log_prop_27_0) true) +(expandtypeattribute (wifip2p_service_27_0) true) +(expandtypeattribute (wifi_prop_27_0) true) +(expandtypeattribute (wifiscanner_service_27_0) true) +(expandtypeattribute (wifi_service_27_0) true) +(expandtypeattribute (window_service_27_0) true) +(expandtypeattribute (wpa_socket_27_0) true) +(expandtypeattribute (zero_device_27_0) true) +(expandtypeattribute (zoneinfo_data_file_27_0) true) +(expandtypeattribute (zygote_27_0) true) +(expandtypeattribute (zygote_exec_27_0) true) +(expandtypeattribute (zygote_socket_27_0) true) +(typeattributeset accessibility_service_27_0 (accessibility_service)) +(typeattributeset account_service_27_0 (account_service)) +(typeattributeset activity_service_27_0 (activity_service)) +(typeattributeset adbd_27_0 (adbd)) +(typeattributeset adb_data_file_27_0 (adb_data_file)) +(typeattributeset adbd_exec_27_0 (adbd_exec)) +(typeattributeset adbd_socket_27_0 (adbd_socket)) +(typeattributeset adb_keys_file_27_0 (adb_keys_file)) +(typeattributeset alarm_device_27_0 (alarm_device)) +(typeattributeset alarm_service_27_0 (alarm_service)) +(typeattributeset anr_data_file_27_0 (anr_data_file)) +(typeattributeset apk_data_file_27_0 (apk_data_file)) +(typeattributeset apk_private_data_file_27_0 (apk_private_data_file)) +(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file)) +(typeattributeset apk_tmp_file_27_0 (apk_tmp_file)) +(typeattributeset app_data_file_27_0 (app_data_file)) +(typeattributeset app_fuse_file_27_0 (app_fuse_file)) +(typeattributeset app_fusefs_27_0 (app_fusefs)) +(typeattributeset appops_service_27_0 (appops_service)) +(typeattributeset appwidget_service_27_0 (appwidget_service)) +(typeattributeset asec_apk_file_27_0 (asec_apk_file)) +(typeattributeset asec_image_file_27_0 (asec_image_file)) +(typeattributeset asec_public_file_27_0 (asec_public_file)) +(typeattributeset ashmem_device_27_0 (ashmem_device)) +(typeattributeset assetatlas_service_27_0 (assetatlas_service)) +(typeattributeset audio_data_file_27_0 (audio_data_file)) +(typeattributeset audio_device_27_0 (audio_device)) +(typeattributeset audiohal_data_file_27_0 (audiohal_data_file)) +(typeattributeset audio_prop_27_0 (audio_prop)) +(typeattributeset audio_seq_device_27_0 (audio_seq_device)) +(typeattributeset audioserver_27_0 (audioserver)) +(typeattributeset audioserver_data_file_27_0 (audioserver_data_file)) +(typeattributeset audioserver_service_27_0 (audioserver_service)) +(typeattributeset audio_service_27_0 (audio_service)) +(typeattributeset audio_timer_device_27_0 (audio_timer_device)) +(typeattributeset autofill_service_27_0 (autofill_service)) +(typeattributeset backup_data_file_27_0 (backup_data_file)) +(typeattributeset backup_service_27_0 (backup_service)) +(typeattributeset batteryproperties_service_27_0 (batteryproperties_service)) +(typeattributeset battery_service_27_0 (battery_service)) +(typeattributeset batterystats_service_27_0 (batterystats_service)) +(typeattributeset binder_device_27_0 (binder_device)) +(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs)) +(typeattributeset blkid_27_0 (blkid)) +(typeattributeset blkid_untrusted_27_0 (blkid_untrusted)) +(typeattributeset block_device_27_0 (block_device)) +(typeattributeset bluetooth_27_0 (bluetooth)) +(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file)) +(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file)) +(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file)) +(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service)) +(typeattributeset bluetooth_prop_27_0 (bluetooth_prop)) +(typeattributeset bluetooth_service_27_0 (bluetooth_service)) +(typeattributeset bluetooth_socket_27_0 (bluetooth_socket)) +(typeattributeset bootanim_27_0 (bootanim)) +(typeattributeset bootanim_exec_27_0 (bootanim_exec)) +(typeattributeset boot_block_device_27_0 (boot_block_device)) +(typeattributeset bootchart_data_file_27_0 (bootchart_data_file)) +(typeattributeset bootstat_27_0 (bootstat)) +(typeattributeset bootstat_data_file_27_0 (bootstat_data_file)) +(typeattributeset bootstat_exec_27_0 (bootstat_exec)) +(typeattributeset boottime_prop_27_0 (boottime_prop)) +(typeattributeset boottrace_data_file_27_0 (boottrace_data_file)) +(typeattributeset broadcastradio_service_27_0 (broadcastradio_service)) +(typeattributeset bufferhubd_27_0 (bufferhubd)) +(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec)) +(typeattributeset cache_backup_file_27_0 (cache_backup_file)) +(typeattributeset cache_block_device_27_0 (cache_block_device)) +(typeattributeset cache_file_27_0 (cache_file)) +(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file)) +(typeattributeset cache_recovery_file_27_0 (cache_recovery_file)) +(typeattributeset camera_data_file_27_0 (camera_data_file)) +(typeattributeset camera_device_27_0 (camera_device)) +(typeattributeset cameraproxy_service_27_0 (cameraproxy_service)) +(typeattributeset cameraserver_27_0 (cameraserver)) +(typeattributeset cameraserver_exec_27_0 (cameraserver_exec)) +(typeattributeset cameraserver_service_27_0 (cameraserver_service)) +(typeattributeset cgroup_27_0 (cgroup)) +(typeattributeset charger_27_0 (charger)) +(typeattributeset clatd_27_0 (clatd)) +(typeattributeset clatd_exec_27_0 (clatd_exec)) +(typeattributeset clipboard_service_27_0 (clipboard_service)) +(typeattributeset commontime_management_service_27_0 (commontime_management_service)) +(typeattributeset companion_device_service_27_0 (companion_device_service)) +(typeattributeset configfs_27_0 (configfs)) +(typeattributeset config_prop_27_0 (config_prop)) +(typeattributeset connectivity_service_27_0 (connectivity_service)) +(typeattributeset connmetrics_service_27_0 (connmetrics_service)) +(typeattributeset console_device_27_0 (console_device)) +(typeattributeset consumer_ir_service_27_0 (consumer_ir_service)) +(typeattributeset content_service_27_0 (content_service)) +(typeattributeset contexthub_service_27_0 (contexthub_service)) +(typeattributeset coredump_file_27_0 (coredump_file)) +(typeattributeset country_detector_service_27_0 (country_detector_service)) +(typeattributeset coverage_service_27_0 (coverage_service)) +(typeattributeset cppreopt_prop_27_0 (cppreopt_prop)) +(typeattributeset cppreopts_27_0 (cppreopts)) +(typeattributeset cppreopts_exec_27_0 (cppreopts_exec)) +(typeattributeset cpuctl_device_27_0 (cpuctl_device)) +(typeattributeset cpuinfo_service_27_0 (cpuinfo_service)) +(typeattributeset crash_dump_27_0 (crash_dump)) +(typeattributeset crash_dump_exec_27_0 (crash_dump_exec)) +(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop)) +(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop)) +(typeattributeset ctl_console_prop_27_0 (ctl_console_prop)) +(typeattributeset ctl_default_prop_27_0 (ctl_default_prop)) +(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop)) +(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop)) +(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop)) +(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop)) +(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file)) +(typeattributeset dalvik_prop_27_0 (dalvik_prop)) +(typeattributeset dbinfo_service_27_0 (dbinfo_service)) +(typeattributeset debugfs_27_0 + ( debugfs + debugfs_wakeup_sources)) +(typeattributeset debugfs_mmc_27_0 (debugfs_mmc)) +(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker)) +(typeattributeset debugfs_tracing_27_0 (debugfs_tracing)) +(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug)) +(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances)) +(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing)) +(typeattributeset debuggerd_prop_27_0 (debuggerd_prop)) +(typeattributeset debug_prop_27_0 (debug_prop)) +(typeattributeset default_android_hwservice_27_0 (default_android_hwservice)) +(typeattributeset default_android_service_27_0 (default_android_service)) +(typeattributeset default_android_vndservice_27_0 (default_android_vndservice)) +(typeattributeset default_prop_27_0 + ( default_prop + pm_prop)) +(typeattributeset device_27_0 (device)) +(typeattributeset device_identifiers_service_27_0 (device_identifiers_service)) +(typeattributeset deviceidle_service_27_0 (deviceidle_service)) +(typeattributeset device_logging_prop_27_0 (device_logging_prop)) +(typeattributeset device_policy_service_27_0 (device_policy_service)) +(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service)) +(typeattributeset devpts_27_0 (devpts)) +(typeattributeset dex2oat_27_0 (dex2oat)) +(typeattributeset dex2oat_exec_27_0 (dex2oat_exec)) +(typeattributeset dhcp_27_0 (dhcp)) +(typeattributeset dhcp_data_file_27_0 (dhcp_data_file)) +(typeattributeset dhcp_exec_27_0 (dhcp_exec)) +(typeattributeset dhcp_prop_27_0 (dhcp_prop)) +(typeattributeset diskstats_service_27_0 (diskstats_service)) +(typeattributeset display_service_27_0 (display_service)) +(typeattributeset dm_device_27_0 (dm_device)) +(typeattributeset dnsmasq_27_0 (dnsmasq)) +(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec)) +(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket)) +(typeattributeset DockObserver_service_27_0 (DockObserver_service)) +(typeattributeset dreams_service_27_0 (dreams_service)) +(typeattributeset drm_data_file_27_0 (drm_data_file)) +(typeattributeset drmserver_27_0 (drmserver)) +(typeattributeset drmserver_exec_27_0 (drmserver_exec)) +(typeattributeset drmserver_service_27_0 (drmserver_service)) +(typeattributeset drmserver_socket_27_0 (drmserver_socket)) +(typeattributeset dropbox_service_27_0 (dropbox_service)) +(typeattributeset dumpstate_27_0 (dumpstate)) +(typeattributeset dumpstate_exec_27_0 (dumpstate_exec)) +(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop)) +(typeattributeset dumpstate_prop_27_0 (dumpstate_prop)) +(typeattributeset dumpstate_service_27_0 (dumpstate_service)) +(typeattributeset dumpstate_socket_27_0 (dumpstate_socket)) +(typeattributeset e2fs_27_0 (e2fs)) +(typeattributeset e2fs_exec_27_0 (e2fs_exec)) +(typeattributeset efs_file_27_0 (efs_file)) +(typeattributeset ephemeral_app_27_0 (ephemeral_app)) +(typeattributeset ethernet_service_27_0 (ethernet_service)) +(typeattributeset ffs_prop_27_0 (ffs_prop)) +(typeattributeset file_contexts_file_27_0 (file_contexts_file)) +(typeattributeset fingerprintd_27_0 (fingerprintd)) +(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file)) +(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec)) +(typeattributeset fingerprintd_service_27_0 (fingerprintd_service)) +(typeattributeset fingerprint_prop_27_0 (fingerprint_prop)) +(typeattributeset fingerprint_service_27_0 (fingerprint_service)) +(typeattributeset firstboot_prop_27_0 (firstboot_prop)) +(typeattributeset font_service_27_0 (font_service)) +(typeattributeset frp_block_device_27_0 (frp_block_device)) +(typeattributeset fsck_27_0 (fsck)) +(typeattributeset fsck_exec_27_0 (fsck_exec)) +(typeattributeset fscklogs_27_0 (fscklogs)) +(typeattributeset fsck_untrusted_27_0 (fsck_untrusted)) +(typeattributeset full_device_27_0 (full_device)) +(typeattributeset functionfs_27_0 (functionfs)) +(typeattributeset fuse_27_0 (fuse)) +(typeattributeset fuse_device_27_0 (fuse_device)) +(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice)) +(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice)) +(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice)) +(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket)) +(typeattributeset gatekeeperd_27_0 (gatekeeperd)) +(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file)) +(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec)) +(typeattributeset gatekeeper_service_27_0 (gatekeeper_service)) +(typeattributeset gfxinfo_service_27_0 (gfxinfo_service)) +(typeattributeset gps_control_27_0 (gps_control)) +(typeattributeset gpu_device_27_0 (gpu_device)) +(typeattributeset gpu_service_27_0 (gpu_service)) +(typeattributeset graphics_device_27_0 (graphics_device)) +(typeattributeset graphicsstats_service_27_0 (graphicsstats_service)) +(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice)) +(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice)) +(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice)) +(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice)) +(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice)) +(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice)) +(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs)) +(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice)) +(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice)) +(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice)) +(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice)) +(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service)) +(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice)) +(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice)) +(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice)) +(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice)) +(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice)) +(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice)) +(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice)) +(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice)) +(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice)) +(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice)) +(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice)) +(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice)) +(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice)) +(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice)) +(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice)) +(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice)) +(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice)) +(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice)) +(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice)) +(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice)) +(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice)) +(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice)) +(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice)) +(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice)) +(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice)) +(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice)) +(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice)) +(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice)) +(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice)) +(typeattributeset hardware_properties_service_27_0 (hardware_properties_service)) +(typeattributeset hardware_service_27_0 (hardware_service)) +(typeattributeset hci_attach_dev_27_0 (hci_attach_dev)) +(typeattributeset hdmi_control_service_27_0 (hdmi_control_service)) +(typeattributeset healthd_27_0 (healthd)) +(typeattributeset healthd_exec_27_0 (healthd_exec)) +(typeattributeset heapdump_data_file_27_0 (heapdump_data_file)) +(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice)) +(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice)) +(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice)) +(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice)) +(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice)) +(typeattributeset hwbinder_device_27_0 (hwbinder_device)) +(typeattributeset hw_random_device_27_0 (hw_random_device)) +(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file)) +(typeattributeset hwservicemanager_27_0 (hwservicemanager)) +(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec)) +(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop)) +(typeattributeset i2c_device_27_0 (i2c_device)) +(typeattributeset icon_file_27_0 (icon_file)) +(typeattributeset idmap_27_0 (idmap)) +(typeattributeset idmap_exec_27_0 (idmap_exec)) +(typeattributeset iio_device_27_0 (iio_device)) +(typeattributeset imms_service_27_0 (imms_service)) +(typeattributeset incident_27_0 (incident)) +(typeattributeset incidentd_27_0 (incidentd)) +(typeattributeset incident_data_file_27_0 (incident_data_file)) +(typeattributeset incident_service_27_0 (incident_service)) +(typeattributeset init_27_0 (init)) +(typeattributeset init_exec_27_0 (init_exec)) +(typeattributeset inotify_27_0 (inotify)) +(typeattributeset input_device_27_0 (input_device)) +(typeattributeset inputflinger_27_0 (inputflinger)) +(typeattributeset inputflinger_exec_27_0 (inputflinger_exec)) +(typeattributeset inputflinger_service_27_0 (inputflinger_service)) +(typeattributeset input_method_service_27_0 (input_method_service)) +(typeattributeset input_service_27_0 (input_service)) +(typeattributeset installd_27_0 (installd)) +(typeattributeset install_data_file_27_0 (install_data_file)) +(typeattributeset installd_exec_27_0 (installd_exec)) +(typeattributeset installd_service_27_0 (installd_service)) +(typeattributeset install_recovery_27_0 (install_recovery)) +(typeattributeset install_recovery_exec_27_0 (install_recovery_exec)) +(typeattributeset ion_device_27_0 (ion_device)) +(typeattributeset IProxyService_service_27_0 (IProxyService_service)) +(typeattributeset ipsec_service_27_0 (ipsec_service)) +(typeattributeset isolated_app_27_0 (isolated_app)) +(typeattributeset jobscheduler_service_27_0 (jobscheduler_service)) +(typeattributeset kernel_27_0 (kernel)) +(typeattributeset keychain_data_file_27_0 (keychain_data_file)) +(typeattributeset keychord_device_27_0 (keychord_device)) +(typeattributeset keystore_27_0 (keystore)) +(typeattributeset keystore_data_file_27_0 (keystore_data_file)) +(typeattributeset keystore_exec_27_0 (keystore_exec)) +(typeattributeset keystore_service_27_0 (keystore_service)) +(typeattributeset kmem_device_27_0 (kmem_device)) +(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device)) +(typeattributeset kmsg_device_27_0 (kmsg_device)) +(typeattributeset labeledfs_27_0 (labeledfs)) +(typeattributeset launcherapps_service_27_0 (launcherapps_service)) +(typeattributeset lmkd_27_0 (lmkd)) +(typeattributeset lmkd_exec_27_0 (lmkd_exec)) +(typeattributeset lmkd_socket_27_0 (lmkd_socket)) +(typeattributeset location_service_27_0 (location_service)) +(typeattributeset lock_settings_service_27_0 (lock_settings_service)) +(typeattributeset logcat_exec_27_0 (logcat_exec)) +(typeattributeset logd_27_0 (logd)) +(typeattributeset logd_exec_27_0 (logd_exec)) +(typeattributeset logd_prop_27_0 (logd_prop)) +(typeattributeset logdr_socket_27_0 (logdr_socket)) +(typeattributeset logd_socket_27_0 (logd_socket)) +(typeattributeset logdw_socket_27_0 (logdw_socket)) +(typeattributeset logpersist_27_0 (logpersist)) +(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop)) +(typeattributeset log_prop_27_0 (log_prop)) +(typeattributeset log_tag_prop_27_0 (log_tag_prop)) +(typeattributeset loop_control_device_27_0 (loop_control_device)) +(typeattributeset loop_device_27_0 (loop_device)) +(typeattributeset mac_perms_file_27_0 (mac_perms_file)) +(typeattributeset mdnsd_27_0 (mdnsd)) +(typeattributeset mdnsd_socket_27_0 (mdnsd_socket)) +(typeattributeset mdns_socket_27_0 (mdns_socket)) +(typeattributeset mediacodec_27_0 (mediacodec)) +(typeattributeset mediacodec_exec_27_0 (mediacodec_exec)) +(typeattributeset mediacodec_service_27_0 (mediacodec_service)) +(typeattributeset media_data_file_27_0 (media_data_file)) +(typeattributeset mediadrmserver_27_0 (mediadrmserver)) +(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec)) +(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service)) +(typeattributeset mediaextractor_27_0 (mediaextractor)) +(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec)) +(typeattributeset mediaextractor_service_27_0 (mediaextractor_service)) +(typeattributeset mediametrics_27_0 (mediametrics)) +(typeattributeset mediametrics_exec_27_0 (mediametrics_exec)) +(typeattributeset mediametrics_service_27_0 (mediametrics_service)) +(typeattributeset media_projection_service_27_0 (media_projection_service)) +(typeattributeset mediaprovider_27_0 (mediaprovider)) +(typeattributeset media_router_service_27_0 (media_router_service)) +(typeattributeset media_rw_data_file_27_0 (media_rw_data_file)) +(typeattributeset mediaserver_27_0 (mediaserver)) +(typeattributeset mediaserver_exec_27_0 (mediaserver_exec)) +(typeattributeset mediaserver_service_27_0 (mediaserver_service)) +(typeattributeset media_session_service_27_0 (media_session_service)) +(typeattributeset meminfo_service_27_0 (meminfo_service)) +(typeattributeset metadata_block_device_27_0 (metadata_block_device)) +(typeattributeset method_trace_data_file_27_0 (method_trace_data_file)) +(typeattributeset midi_service_27_0 (midi_service)) +(typeattributeset misc_block_device_27_0 (misc_block_device)) +(typeattributeset misc_logd_file_27_0 (misc_logd_file)) +(typeattributeset misc_user_data_file_27_0 (misc_user_data_file)) +(typeattributeset mmc_prop_27_0 (mmc_prop)) +(typeattributeset mnt_expand_file_27_0 (mnt_expand_file)) +(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file)) +(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file)) +(typeattributeset mnt_user_file_27_0 (mnt_user_file)) +(typeattributeset modprobe_27_0 (modprobe)) +(typeattributeset mount_service_27_0 (mount_service)) +(typeattributeset mqueue_27_0 (mqueue)) +(typeattributeset mtd_device_27_0 (mtd_device)) +(typeattributeset mtp_27_0 (mtp)) +(typeattributeset mtp_device_27_0 (mtp_device)) +(typeattributeset mtpd_socket_27_0 (mtpd_socket)) +(typeattributeset mtp_exec_27_0 (mtp_exec)) +(typeattributeset nativetest_data_file_27_0 (nativetest_data_file)) +(typeattributeset netd_27_0 (netd)) +(typeattributeset net_data_file_27_0 (net_data_file)) +(typeattributeset netd_exec_27_0 (netd_exec)) +(typeattributeset netd_listener_service_27_0 (netd_listener_service)) +(typeattributeset net_dns_prop_27_0 (net_dns_prop)) +(typeattributeset netd_service_27_0 (netd_service)) +(typeattributeset netd_socket_27_0 (netd_socket)) +(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop)) +(typeattributeset netif_27_0 (netif)) +(typeattributeset netpolicy_service_27_0 (netpolicy_service)) +(typeattributeset net_radio_prop_27_0 (net_radio_prop)) +(typeattributeset netstats_service_27_0 (netstats_service)) +(typeattributeset netutils_wrapper_27_0 (netutils_wrapper)) +(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec)) +(typeattributeset network_management_service_27_0 (network_management_service)) +(typeattributeset network_score_service_27_0 (network_score_service)) +(typeattributeset network_time_update_service_27_0 (network_time_update_service)) +(typeattributeset nfc_27_0 (nfc)) +(typeattributeset nfc_data_file_27_0 (nfc_data_file)) +(typeattributeset nfc_device_27_0 (nfc_device)) +(typeattributeset nfc_prop_27_0 (nfc_prop)) +(typeattributeset nfc_service_27_0 (nfc_service)) +(typeattributeset node_27_0 (node)) +(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file)) +(typeattributeset notification_service_27_0 (notification_service)) +(typeattributeset null_device_27_0 (null_device)) +(typeattributeset oemfs_27_0 (oemfs)) +(typeattributeset oem_lock_service_27_0 (oem_lock_service)) +(typeattributeset ota_data_file_27_0 (ota_data_file)) +(typeattributeset otadexopt_service_27_0 (otadexopt_service)) +(typeattributeset ota_package_file_27_0 (ota_package_file)) +(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot)) +(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec)) +(typeattributeset otapreopt_slot_27_0 (otapreopt_slot)) +(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec)) +(typeattributeset overlay_prop_27_0 (overlay_prop)) +(typeattributeset overlay_service_27_0 (overlay_service)) +(typeattributeset owntty_device_27_0 (owntty_device)) +(typeattributeset package_native_service_27_0 (package_native_service)) +(typeattributeset package_service_27_0 (package_service)) +(typeattributeset pan_result_prop_27_0 (pan_result_prop)) +(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket)) +(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket)) +(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir)) +(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket)) +(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket)) +(typeattributeset pdx_display_dir_27_0 (pdx_display_dir)) +(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket)) +(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket)) +(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket)) +(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket)) +(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket)) +(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket)) +(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket)) +(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket)) +(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir)) +(typeattributeset performanced_27_0 (performanced)) +(typeattributeset performanced_exec_27_0 (performanced_exec)) +(typeattributeset perfprofd_27_0 (perfprofd)) +(typeattributeset perfprofd_data_file_27_0 (perfprofd_data_file)) +(typeattributeset perfprofd_exec_27_0 (perfprofd_exec)) +(typeattributeset permission_service_27_0 (permission_service)) +(typeattributeset persist_debug_prop_27_0 (persist_debug_prop)) +(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service)) +(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop)) +(typeattributeset pinner_service_27_0 (pinner_service)) +(typeattributeset pipefs_27_0 (pipefs)) +(typeattributeset platform_app_27_0 (platform_app)) +(typeattributeset pmsg_device_27_0 (pmsg_device)) +(typeattributeset port_27_0 (port)) +(typeattributeset port_device_27_0 (port_device)) +(typeattributeset postinstall_27_0 (postinstall)) +(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt)) +(typeattributeset postinstall_file_27_0 (postinstall_file)) +(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir)) +(typeattributeset powerctl_prop_27_0 (powerctl_prop)) +(typeattributeset power_service_27_0 (power_service)) +(typeattributeset ppp_27_0 (ppp)) +(typeattributeset ppp_device_27_0 (ppp_device)) +(typeattributeset ppp_exec_27_0 (ppp_exec)) +(typeattributeset preloads_data_file_27_0 (preloads_data_file)) +(typeattributeset preloads_media_file_27_0 (preloads_media_file)) +(typeattributeset preopt2cachename_27_0 (preopt2cachename)) +(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec)) +(typeattributeset print_service_27_0 (print_service)) +(typeattributeset priv_app_27_0 (priv_app)) +(typeattributeset proc_27_0 + ( proc + proc_abi + proc_asound + proc_buddyinfo + proc_cmdline + proc_dirty + proc_diskstats + proc_extra_free_kbytes + proc_filesystems + proc_hostname + proc_hung_task + proc_kmsg + proc_loadavg + proc_max_map_count + proc_min_free_order_shift + proc_mounts + proc_page_cluster + proc_pagetypeinfo + proc_panic + proc_pid_max + proc_pipe_conf + proc_random + proc_sched + proc_swaps + proc_uid_concurrent_active_time + proc_uid_concurrent_policy_time + proc_uid_cpupower + proc_uptime + proc_version + proc_vmallocinfo + proc_vmstat)) +(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable)) +(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo)) +(typeattributeset proc_drop_caches_27_0 (proc_drop_caches)) +(typeattributeset processinfo_service_27_0 (processinfo_service)) +(typeattributeset proc_interrupts_27_0 (proc_interrupts)) +(typeattributeset proc_iomem_27_0 (proc_iomem)) +(typeattributeset proc_meminfo_27_0 (proc_meminfo)) +(typeattributeset proc_misc_27_0 (proc_misc)) +(typeattributeset proc_modules_27_0 (proc_modules)) +(typeattributeset proc_net_27_0 + ( proc_net + proc_qtaguid_stat)) +(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory)) +(typeattributeset proc_perf_27_0 (proc_perf)) +(typeattributeset proc_security_27_0 (proc_security)) +(typeattributeset proc_stat_27_0 (proc_stat)) +(typeattributeset procstats_service_27_0 (procstats_service)) +(typeattributeset proc_sysrq_27_0 (proc_sysrq)) +(typeattributeset proc_timer_27_0 (proc_timer)) +(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers)) +(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid)) +(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat)) +(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats)) +(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set)) +(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state)) +(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo)) +(typeattributeset profman_27_0 (profman)) +(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file)) +(typeattributeset profman_exec_27_0 (profman_exec)) +(typeattributeset properties_device_27_0 (properties_device)) +(typeattributeset properties_serial_27_0 (properties_serial)) +(typeattributeset property_contexts_file_27_0 (property_contexts_file)) +(typeattributeset property_data_file_27_0 (property_data_file)) +(typeattributeset property_socket_27_0 (property_socket)) +(typeattributeset pstorefs_27_0 (pstorefs)) +(typeattributeset ptmx_device_27_0 (ptmx_device)) +(typeattributeset qtaguid_device_27_0 (qtaguid_device)) +(typeattributeset qtaguid_proc_27_0 (qtaguid_proc)) +(typeattributeset racoon_27_0 (racoon)) +(typeattributeset racoon_exec_27_0 (racoon_exec)) +(typeattributeset racoon_socket_27_0 (racoon_socket)) +(typeattributeset radio_27_0 (radio)) +(typeattributeset radio_data_file_27_0 (radio_data_file)) +(typeattributeset radio_device_27_0 (radio_device)) +(typeattributeset radio_prop_27_0 (radio_prop)) +(typeattributeset radio_service_27_0 (radio_service)) +(typeattributeset ram_device_27_0 (ram_device)) +(typeattributeset random_device_27_0 (random_device)) +(typeattributeset reboot_data_file_27_0 (reboot_data_file)) +(typeattributeset recovery_27_0 (recovery)) +(typeattributeset recovery_block_device_27_0 (recovery_block_device)) +(typeattributeset recovery_data_file_27_0 (recovery_data_file)) +(typeattributeset recovery_persist_27_0 (recovery_persist)) +(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec)) +(typeattributeset recovery_refresh_27_0 (recovery_refresh)) +(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec)) +(typeattributeset recovery_service_27_0 (recovery_service)) +(typeattributeset registry_service_27_0 (registry_service)) +(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file)) +(typeattributeset restorecon_prop_27_0 (restorecon_prop)) +(typeattributeset restrictions_service_27_0 (restrictions_service)) +(typeattributeset rild_27_0 (rild)) +(typeattributeset rild_debug_socket_27_0 (rild_debug_socket)) +(typeattributeset rild_socket_27_0 (rild_socket)) +(typeattributeset ringtone_file_27_0 (ringtone_file)) +(typeattributeset root_block_device_27_0 (root_block_device)) +(typeattributeset rootfs_27_0 (rootfs)) +(typeattributeset rpmsg_device_27_0 (rpmsg_device)) +(typeattributeset rtc_device_27_0 (rtc_device)) +(typeattributeset rttmanager_service_27_0 (rttmanager_service)) +(typeattributeset runas_27_0 (runas)) +(typeattributeset runas_exec_27_0 (runas_exec)) +(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file)) +(typeattributeset safemode_prop_27_0 (safemode_prop)) +(typeattributeset same_process_hal_file_27_0 (same_process_hal_file)) +(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service)) +(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service)) +(typeattributeset sdcardd_27_0 (sdcardd)) +(typeattributeset sdcardd_exec_27_0 (sdcardd_exec)) +(typeattributeset sdcardfs_27_0 (sdcardfs)) +(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file)) +(typeattributeset search_service_27_0 (search_service)) +(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service)) +(typeattributeset selinuxfs_27_0 (selinuxfs)) +(typeattributeset sensors_device_27_0 (sensors_device)) +(typeattributeset sensorservice_service_27_0 (sensorservice_service)) +(typeattributeset sepolicy_file_27_0 (sepolicy_file)) +(typeattributeset serial_device_27_0 (serial_device)) +(typeattributeset serialno_prop_27_0 (serialno_prop)) +(typeattributeset serial_service_27_0 (serial_service)) +(typeattributeset service_contexts_file_27_0 (service_contexts_file)) +(typeattributeset servicediscovery_service_27_0 (servicediscovery_service)) +(typeattributeset servicemanager_27_0 (servicemanager)) +(typeattributeset servicemanager_exec_27_0 (servicemanager_exec)) +(typeattributeset settings_service_27_0 (settings_service)) +(typeattributeset sgdisk_27_0 (sgdisk)) +(typeattributeset sgdisk_exec_27_0 (sgdisk_exec)) +(typeattributeset shared_relro_27_0 (shared_relro)) +(typeattributeset shared_relro_file_27_0 (shared_relro_file)) +(typeattributeset shell_27_0 (shell)) +(typeattributeset shell_data_file_27_0 (shell_data_file)) +(typeattributeset shell_exec_27_0 (shell_exec)) +(typeattributeset shell_prop_27_0 (shell_prop)) +(typeattributeset shm_27_0 (shm)) +(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons)) +(typeattributeset shortcut_service_27_0 (shortcut_service)) +(typeattributeset slideshow_27_0 (slideshow)) +(typeattributeset socket_device_27_0 (socket_device)) +(typeattributeset sockfs_27_0 (sockfs)) +(typeattributeset statusbar_service_27_0 (statusbar_service)) +(typeattributeset storaged_service_27_0 (storaged_service)) +(typeattributeset storage_file_27_0 (storage_file)) +(typeattributeset storagestats_service_27_0 (storagestats_service)) +(typeattributeset storage_stub_file_27_0 (storage_stub_file)) +(typeattributeset su_27_0 (su)) +(typeattributeset su_exec_27_0 (su_exec)) +(typeattributeset surfaceflinger_27_0 (surfaceflinger)) +(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service)) +(typeattributeset swap_block_device_27_0 (swap_block_device)) +(typeattributeset sysfs_27_0 + ( sysfs + sysfs_android_usb + sysfs_dm + sysfs_dt_firmware_android + sysfs_ipv4 + sysfs_kernel_notes + sysfs_net + sysfs_power + sysfs_rtc + sysfs_switch + sysfs_wakeup_reasons)) +(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo)) +(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable)) +(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu)) +(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features)) +(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom)) +(typeattributeset sysfs_leds_27_0 (sysfs_leds)) +(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller)) +(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address)) +(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable)) +(typeattributeset sysfs_thermal_27_0 (sysfs_thermal)) +(typeattributeset sysfs_uio_27_0 (sysfs_uio)) +(typeattributeset sysfs_usb_27_0 (sysfs_usb)) +(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper)) +(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator)) +(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock)) +(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath)) +(typeattributeset sysfs_zram_27_0 (sysfs_zram)) +(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent)) +(typeattributeset system_app_27_0 (system_app)) +(typeattributeset system_app_data_file_27_0 (system_app_data_file)) +(typeattributeset system_app_service_27_0 (system_app_service)) +(typeattributeset system_block_device_27_0 (system_block_device)) +(typeattributeset system_data_file_27_0 + ( system_data_file + vendor_data_file)) +(typeattributeset system_file_27_0 (system_file)) +(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file)) +(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket)) +(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice)) +(typeattributeset system_prop_27_0 (system_prop)) +(typeattributeset system_radio_prop_27_0 (system_radio_prop)) +(typeattributeset system_server_27_0 (system_server)) +(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice)) +(typeattributeset system_wpa_socket_27_0 (system_wpa_socket)) +(typeattributeset task_service_27_0 (task_service)) +(typeattributeset tee_27_0 (tee)) +(typeattributeset tee_data_file_27_0 (tee_data_file)) +(typeattributeset tee_device_27_0 (tee_device)) +(typeattributeset telecom_service_27_0 (telecom_service)) +(typeattributeset textclassification_service_27_0 (textclassification_service)) +(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file)) +(typeattributeset textservices_service_27_0 (textservices_service)) +(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice)) +(typeattributeset thermal_service_27_0 (thermal_service)) +(typeattributeset thermalserviced_27_0 (thermalserviced)) +(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec)) +(typeattributeset timezone_service_27_0 (timezone_service)) +(typeattributeset tmpfs_27_0 (tmpfs)) +(typeattributeset tombstoned_27_0 (tombstoned)) +(typeattributeset tombstone_data_file_27_0 (tombstone_data_file)) +(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket)) +(typeattributeset tombstoned_exec_27_0 (tombstoned_exec)) +(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket)) +(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket)) +(typeattributeset toolbox_27_0 (toolbox)) +(typeattributeset toolbox_exec_27_0 (toolbox_exec)) +(typeattributeset trust_service_27_0 (trust_service)) +(typeattributeset tty_device_27_0 (tty_device)) +(typeattributeset tun_device_27_0 (tun_device)) +(typeattributeset tv_input_service_27_0 (tv_input_service)) +(typeattributeset tzdatacheck_27_0 (tzdatacheck)) +(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec)) +(typeattributeset ueventd_27_0 (ueventd)) +(typeattributeset uhid_device_27_0 (uhid_device)) +(typeattributeset uimode_service_27_0 (uimode_service)) +(typeattributeset uio_device_27_0 (uio_device)) +(typeattributeset uncrypt_27_0 (uncrypt)) +(typeattributeset uncrypt_exec_27_0 (uncrypt_exec)) +(typeattributeset uncrypt_socket_27_0 (uncrypt_socket)) +(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file)) +(typeattributeset unlabeled_27_0 (unlabeled)) +(typeattributeset untrusted_app_25_27_0 (untrusted_app_25)) +(typeattributeset untrusted_app_27_0 + ( untrusted_app + untrusted_app_27)) +(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app)) +(typeattributeset update_engine_27_0 (update_engine)) +(typeattributeset update_engine_data_file_27_0 (update_engine_data_file)) +(typeattributeset update_engine_exec_27_0 (update_engine_exec)) +(typeattributeset update_engine_service_27_0 (update_engine_service)) +(typeattributeset updatelock_service_27_0 (updatelock_service)) +(typeattributeset update_verifier_27_0 (update_verifier)) +(typeattributeset update_verifier_exec_27_0 (update_verifier_exec)) +(typeattributeset usagestats_service_27_0 (usagestats_service)) +(typeattributeset usbaccessory_device_27_0 (usbaccessory_device)) +(typeattributeset usb_device_27_0 (usb_device)) +(typeattributeset usbfs_27_0 (usbfs)) +(typeattributeset usb_service_27_0 (usb_service)) +(typeattributeset userdata_block_device_27_0 (userdata_block_device)) +(typeattributeset usermodehelper_27_0 (usermodehelper)) +(typeattributeset user_profile_data_file_27_0 (user_profile_data_file)) +(typeattributeset user_service_27_0 (user_service)) +(typeattributeset vcs_device_27_0 (vcs_device)) +(typeattributeset vdc_27_0 (vdc)) +(typeattributeset vdc_exec_27_0 (vdc_exec)) +(typeattributeset vendor_app_file_27_0 (vendor_app_file)) +(typeattributeset vendor_configs_file_27_0 (vendor_configs_file)) +(typeattributeset vendor_file_27_0 (vendor_file)) +(typeattributeset vendor_framework_file_27_0 (vendor_framework_file)) +(typeattributeset vendor_hal_file_27_0 (vendor_hal_file)) +(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file)) +(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec)) +(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec)) +(typeattributeset vfat_27_0 (vfat)) +(typeattributeset vibrator_service_27_0 (vibrator_service)) +(typeattributeset video_device_27_0 (video_device)) +(typeattributeset virtual_touchpad_27_0 (virtual_touchpad)) +(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec)) +(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service)) +(typeattributeset vndbinder_device_27_0 (vndbinder_device)) +(typeattributeset vndk_sp_file_27_0 (vndk_sp_file)) +(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file)) +(typeattributeset vndservicemanager_27_0 (vndservicemanager)) +(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service)) +(typeattributeset vold_27_0 (vold)) +(typeattributeset vold_data_file_27_0 (vold_data_file)) +(typeattributeset vold_device_27_0 (vold_device)) +(typeattributeset vold_exec_27_0 (vold_exec)) +(typeattributeset vold_prop_27_0 (vold_prop)) +(typeattributeset vold_socket_27_0 (vold_socket)) +(typeattributeset vpn_data_file_27_0 (vpn_data_file)) +(typeattributeset vr_hwc_27_0 (vr_hwc)) +(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec)) +(typeattributeset vr_hwc_service_27_0 (vr_hwc_service)) +(typeattributeset vr_manager_service_27_0 (vr_manager_service)) +(typeattributeset wallpaper_file_27_0 (wallpaper_file)) +(typeattributeset wallpaper_service_27_0 (wallpaper_service)) +(typeattributeset watchdogd_27_0 (watchdogd)) +(typeattributeset watchdog_device_27_0 (watchdog_device)) +(typeattributeset webviewupdate_service_27_0 (webviewupdate_service)) +(typeattributeset webview_zygote_27_0 (webview_zygote)) +(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec)) +(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket)) +(typeattributeset wifiaware_service_27_0 (wifiaware_service)) +(typeattributeset wificond_27_0 (wificond)) +(typeattributeset wificond_exec_27_0 (wificond_exec)) +(typeattributeset wificond_service_27_0 (wificond_service)) +(typeattributeset wifi_data_file_27_0 (wifi_data_file)) +(typeattributeset wifi_log_prop_27_0 (wifi_log_prop)) +(typeattributeset wifip2p_service_27_0 (wifip2p_service)) +(typeattributeset wifi_prop_27_0 (wifi_prop)) +(typeattributeset wifiscanner_service_27_0 (wifiscanner_service)) +(typeattributeset wifi_service_27_0 (wifi_service)) +(typeattributeset window_service_27_0 (window_service)) +(typeattributeset wpa_socket_27_0 (wpa_socket)) +(typeattributeset zero_device_27_0 (zero_device)) +(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file)) +(typeattributeset zygote_27_0 (zygote)) +(typeattributeset zygote_exec_27_0 (zygote_exec)) +(typeattributeset zygote_socket_27_0 (zygote_socket)) diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil new file mode 100644 index 000000000..94c81d0cb --- /dev/null +++ b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil @@ -0,0 +1,114 @@ +;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(typeattribute new_objects) +(typeattributeset new_objects + ( atrace + binder_calls_stats_service + blank_screen + blank_screen_exec + blank_screen_tmpfs + bootloader_boot_reason_prop + bluetooth_a2dp_offload_prop + bpfloader + bpfloader_exec + cgroup_bpf + crossprofileapps_service + exported2_config_prop + exported2_default_prop + exported2_radio_prop + exported2_system_prop + exported2_vold_prop + exported3_default_prop + exported3_radio_prop + exported3_system_prop + exported_bluetooth_prop + exported_config_prop + exported_dalvik_prop + exported_default_prop + exported_dumpstate_prop + exported_ffs_prop + exported_fingerprint_prop + exported_overlay_prop + exported_pm_prop + exported_radio_prop + exported_secure_prop + exported_system_prop + exported_system_radio_prop + exported_vold_prop + exported_wifi_prop + fingerprint_vendor_data_file + fs_bpf + hal_authsecret_hwservice + hal_codec2_hwservice + hal_confirmationui_hwservice + hal_lowpan_hwservice + hal_secure_element_hwservice + hal_usb_gadget_hwservice + hal_wifi_hostapd_hwservice + incident_helper + incident_helper_exec + last_boot_reason_prop + lowpan_device + lowpan_prop + lowpan_service + mediaextractor_update_service + network_watchlist_data_file + network_watchlist_service + perfetto + perfetto_exec + perfetto_tmpfs + perfetto_traces_data_file + perfprofd_service + property_info + secure_element + secure_element_device + secure_element_service + secure_element_tmpfs + slice_service + stats + stats_data_file + stats_exec + stats_service + statscompanion_service + statsd + statsd_exec + statsd_tmpfs + storaged_data_file + system_boot_reason_prop + system_update_service + tombstone_wifi_data_file + trace_data_file + traced + traced_consumer_socket + traced_exec + traced_probes + traced_probes_exec + traced_probes_tmpfs + traced_producer_socket + traced_tmpfs + traceur_app + traceur_app_tmpfs + untrusted_app_all_devpts + update_engine_log_data_file + usbd + usbd_exec + usbd_tmpfs + vendor_default_prop + vendor_init + vendor_shell + vold_metadata_file + vold_prepare_subdirs + vold_prepare_subdirs_exec + vold_service + wm_trace_data_file + wpantund + wpantund_exec + wpantund_service + wpantund_tmpfs)) + +;; private_objects - a collection of types that were labeled differently in +;; older policy, but that should not remain accessible to vendor policy. +;; Thus, these types are also not mapped, but recorded for checkapi tests +(typeattribute priv_objects) +(typeattributeset priv_objects (untrusted_app_27_tmpfs)) diff --git a/prebuilts/api/28.0/private/coredomain.te b/prebuilts/api/28.0/private/coredomain.te new file mode 100644 index 000000000..23224c323 --- /dev/null +++ b/prebuilts/api/28.0/private/coredomain.te @@ -0,0 +1,15 @@ +get_prop(coredomain, pm_prop) +get_prop(coredomain, exported_pm_prop) + +full_treble_only(` +neverallow { + coredomain + + # for chowning + -init + + # generic access to sysfs_type + -ueventd + -vold +} sysfs_leds:file *; +') diff --git a/prebuilts/api/28.0/private/cppreopts.te b/prebuilts/api/28.0/private/cppreopts.te new file mode 100644 index 000000000..34f0d669b --- /dev/null +++ b/prebuilts/api/28.0/private/cppreopts.te @@ -0,0 +1,6 @@ +typeattribute cppreopts coredomain; + +# Technically not a daemon but we do want the transition from init domain to +# cppreopts to occur. +init_daemon_domain(cppreopts) +domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename); diff --git a/prebuilts/api/28.0/private/crash_dump.te b/prebuilts/api/28.0/private/crash_dump.te new file mode 100644 index 000000000..fb73f08a9 --- /dev/null +++ b/prebuilts/api/28.0/private/crash_dump.te @@ -0,0 +1 @@ +typeattribute crash_dump coredomain; diff --git a/prebuilts/api/28.0/private/dex2oat.te b/prebuilts/api/28.0/private/dex2oat.te new file mode 100644 index 000000000..fd45484f4 --- /dev/null +++ b/prebuilts/api/28.0/private/dex2oat.te @@ -0,0 +1 @@ +typeattribute dex2oat coredomain; diff --git a/prebuilts/api/28.0/private/dexoptanalyzer.te b/prebuilts/api/28.0/private/dexoptanalyzer.te new file mode 100644 index 000000000..dfc81b850 --- /dev/null +++ b/prebuilts/api/28.0/private/dexoptanalyzer.te @@ -0,0 +1,30 @@ +# dexoptanalyzer +type dexoptanalyzer, domain, coredomain, mlstrustedsubject; +type dexoptanalyzer_exec, exec_type, file_type; + +# Reading an APK opens a ZipArchive, which unpack to tmpfs. +# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their +# own label, which differs from other labels created by other processes. +# This allows to distinguish in policy files created by dexoptanalyzer vs other +#processes. +tmpfs_domain(dexoptanalyzer) + +# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot +# app_data_file the oat file is symlinked to the original file in /system. +allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; +allow dexoptanalyzer dalvikcache_data_file:file r_file_perms; +allow dexoptanalyzer dalvikcache_data_file:lnk_file read; + +allow dexoptanalyzer installd:fd use; + +# Allow reading secondary dex files that were reported by the app to the +# package manager. +allow dexoptanalyzer app_data_file:dir { getattr search }; +allow dexoptanalyzer app_data_file:file { getattr read }; +# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the +# "dontaudit...audit_access" policy line to suppress the audit access without +# suppressing denial on actual access. +dontaudit dexoptanalyzer app_data_file:dir audit_access; + +# Allow testing /data/user/0 which symlinks to /data/data +allow dexoptanalyzer system_data_file:lnk_file { getattr }; diff --git a/prebuilts/api/28.0/private/dhcp.te b/prebuilts/api/28.0/private/dhcp.te new file mode 100644 index 000000000..b2f8ac7c7 --- /dev/null +++ b/prebuilts/api/28.0/private/dhcp.te @@ -0,0 +1,4 @@ +typeattribute dhcp coredomain; + +init_daemon_domain(dhcp) +type_transition dhcp system_data_file:{ dir file } dhcp_data_file; diff --git a/prebuilts/api/28.0/private/dnsmasq.te b/prebuilts/api/28.0/private/dnsmasq.te new file mode 100644 index 000000000..96084b490 --- /dev/null +++ b/prebuilts/api/28.0/private/dnsmasq.te @@ -0,0 +1 @@ +typeattribute dnsmasq coredomain; diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te new file mode 100644 index 000000000..fb6ba4f78 --- /dev/null +++ b/prebuilts/api/28.0/private/domain.te @@ -0,0 +1,118 @@ +# Transition to crash_dump when /system/bin/crash_dump* is executed. +# This occurs when the process crashes. +domain_auto_trans(domain, crash_dump_exec, crash_dump); +allow domain crash_dump:process sigchld; + +# Limit ability to ptrace or read sensitive /proc/pid files of processes +# with other UIDs to these whitelisted domains. +neverallow { + domain + -vold + -dumpstate + userdebug_or_eng(`-incidentd') + -storaged + -system_server + userdebug_or_eng(`-perfprofd') +} self:global_capability_class_set sys_ptrace; + +# Limit ability to generate hardware unique device ID attestations to priv_apps +neverallow { domain -priv_app } *:keystore_key gen_unique_id; + +neverallow { + domain + -init + -vendor_init + userdebug_or_eng(`-domain') +} debugfs_tracing_debug:file no_rw_file_perms; + +# Core domains are not permitted to use kernel interfaces which are not +# explicitly labeled. +# TODO(b/65643247): Apply these neverallow rules to all coredomain. +full_treble_only(` + # /proc + neverallow { + coredomain + -vold + } proc:file no_rw_file_perms; + + # /sys + neverallow { + coredomain + -init + -ueventd + -vold + } sysfs:file no_rw_file_perms; + + # /dev + neverallow { + coredomain + -fsck + -init + -ueventd + } device:{ blk_file file } no_rw_file_perms; + + # debugfs + neverallow { + coredomain + -dumpstate + -init + -system_server + } debugfs:file no_rw_file_perms; + + # tracefs + neverallow { + coredomain + -atrace + -dumpstate + -init + userdebug_or_eng(`-perfprofd') + -traced_probes + -shell + -traceur_app + } debugfs_tracing:file no_rw_file_perms; + + # inotifyfs + neverallow { + coredomain + -init + } inotify:file no_rw_file_perms; + + # pstorefs + neverallow { + coredomain + -bootstat + -charger + -dumpstate + -healthd + userdebug_or_eng(`-incidentd') + -init + -logd + -logpersist + -recovery_persist + -recovery_refresh + -shell + -system_server + } pstorefs:file no_rw_file_perms; + + # configfs + neverallow { + coredomain + -init + -system_server + } configfs:file no_rw_file_perms; + + # functionfs + neverallow { + coredomain + -adbd + -init + -mediaprovider + -system_server + } functionfs:file no_rw_file_perms; + + # usbfs and binfmt_miscfs + neverallow { + coredomain + -init + }{ usbfs binfmt_miscfs }:file no_rw_file_perms; +') diff --git a/prebuilts/api/28.0/private/drmserver.te b/prebuilts/api/28.0/private/drmserver.te new file mode 100644 index 000000000..afe4f0aae --- /dev/null +++ b/prebuilts/api/28.0/private/drmserver.te @@ -0,0 +1,7 @@ +typeattribute drmserver coredomain; + +init_daemon_domain(drmserver) + +type_transition drmserver apk_data_file:sock_file drmserver_socket; + +typeattribute drmserver_socket coredomain_socket; diff --git a/prebuilts/api/28.0/private/dumpstate.te b/prebuilts/api/28.0/private/dumpstate.te new file mode 100644 index 000000000..2c2a62f53 --- /dev/null +++ b/prebuilts/api/28.0/private/dumpstate.te @@ -0,0 +1,47 @@ +typeattribute dumpstate coredomain; + +init_daemon_domain(dumpstate) + +# Execute and transition to the vdc domain +domain_auto_trans(dumpstate, vdc_exec, vdc) + +# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables +allow dumpstate system_file:file lock; + +# TODO: deal with tmpfs_domain pub/priv split properly +allow dumpstate dumpstate_tmpfs:file execute; + +# systrace support - allow atrace to run +allow dumpstate debugfs_tracing:dir r_dir_perms; +allow dumpstate debugfs_tracing:file rw_file_perms; +allow dumpstate debugfs_tracing_debug:dir r_dir_perms; +allow dumpstate debugfs_trace_marker:file getattr; +allow dumpstate atrace_exec:file rx_file_perms; +allow dumpstate storaged_exec:file rx_file_perms; + +# /data/misc/wmtrace for wm traces +userdebug_or_eng(` + allow dumpstate wm_trace_data_file:dir r_dir_perms; + allow dumpstate wm_trace_data_file:file r_file_perms; +') + +# Allow dumpstate to make binder calls to storaged service +binder_call(dumpstate, storaged) + +# Allow dumpstate to make binder calls to statsd +binder_call(dumpstate, statsd) + +# Collect metrics on boot time created by init +get_prop(dumpstate, boottime_prop) + +# Signal native processes to dump their stack. +allow dumpstate { + statsd +}:process signal; + +# For collecting bugreports. +allow dumpstate debugfs_wakeup_sources:file r_file_perms; +allow dumpstate dev_type:blk_file getattr; +allow dumpstate webview_zygote:process signal; +dontaudit dumpstate perfprofd:binder call; +dontaudit dumpstate update_engine:binder call; diff --git a/prebuilts/api/28.0/private/ephemeral_app.te b/prebuilts/api/28.0/private/ephemeral_app.te new file mode 100644 index 000000000..75a631765 --- /dev/null +++ b/prebuilts/api/28.0/private/ephemeral_app.te @@ -0,0 +1,81 @@ +### +### Ephemeral apps. +### +### This file defines the security policy for apps with the ephemeral +### feature. +### +### The ephemeral_app domain is a reduced permissions sandbox allowing +### ephemeral applications to be safely installed and run. Non ephemeral +### applications may also opt-in to ephemeral to take advantage of the +### additional security features. +### +### PackageManager flags an app as ephemeral at install time. + +typeattribute ephemeral_app coredomain; + +net_domain(ephemeral_app) +app_domain(ephemeral_app) + +# Allow ephemeral apps to read/write files in visible storage if provided fds +allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; + +# Some apps ship with shared libraries and binaries that they write out +# to their sandbox directory and then execute. +allow ephemeral_app app_data_file:file {r_file_perms execute}; + +# services +allow ephemeral_app audioserver_service:service_manager find; +allow ephemeral_app cameraserver_service:service_manager find; +allow ephemeral_app mediaserver_service:service_manager find; +allow ephemeral_app mediaextractor_service:service_manager find; +allow ephemeral_app mediacodec_service:service_manager find; +allow ephemeral_app mediametrics_service:service_manager find; +allow ephemeral_app mediadrmserver_service:service_manager find; +allow ephemeral_app drmserver_service:service_manager find; +allow ephemeral_app radio_service:service_manager find; +allow ephemeral_app ephemeral_app_api_service:service_manager find; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +allow ephemeral_app traced:fd use; +allow ephemeral_app traced_tmpfs:file { read write getattr map }; +unix_socket_connect(ephemeral_app, traced_producer, traced) + +# allow ephemeral apps to use UDP sockets provided by the system server but not +# modify them other than to connect +allow ephemeral_app system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +### +### neverallow rules +### + +neverallow ephemeral_app app_data_file:file execute_no_trans; + +# Receive or send uevent messages. +neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; + +# Receive or send generic netlink messages +neverallow ephemeral_app domain:netlink_socket *; + +# Too much leaky information in debugfs. It's a security +# best practice to ensure these files aren't readable. +neverallow ephemeral_app debugfs:file read; + +# execute gpu_device +neverallow ephemeral_app gpu_device:chr_file execute; + +# access files in /sys with the default sysfs label +neverallow ephemeral_app sysfs:file *; + +# Avoid reads from generically labeled /proc files +# Create a more specific label if needed +neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms }; + +# Directly access external storage +neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create}; +neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search; + +# Avoid reads to proc_net, it contains too much device wide information about +# ongoing connections. +neverallow ephemeral_app proc_net:file no_rw_file_perms; diff --git a/prebuilts/api/28.0/private/file.te b/prebuilts/api/28.0/private/file.te new file mode 100644 index 000000000..fda972b48 --- /dev/null +++ b/prebuilts/api/28.0/private/file.te @@ -0,0 +1,14 @@ +# /proc/config.gz +type config_gz, fs_type, proc_type; + +# /data/misc/stats-data, /data/misc/stats-service +type stats_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/storaged +type storaged_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/wmtrace for wm traces +type wm_trace_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/perfetto-traces for perfetto traces +type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type; diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts new file mode 100644 index 000000000..c5169ff60 --- /dev/null +++ b/prebuilts/api/28.0/private/file_contexts @@ -0,0 +1,528 @@ +########################################### +# Root +/ u:object_r:rootfs:s0 + +# Data files +/adb_keys u:object_r:adb_keys_file:s0 +/build\.prop u:object_r:rootfs:s0 +/default\.prop u:object_r:rootfs:s0 +/fstab\..* u:object_r:rootfs:s0 +/init\..* u:object_r:rootfs:s0 +/res(/.*)? u:object_r:rootfs:s0 +/selinux_version u:object_r:rootfs:s0 +/ueventd\..* u:object_r:rootfs:s0 +/verity_key u:object_r:rootfs:s0 + +# Executables +/charger u:object_r:rootfs:s0 +/init u:object_r:init_exec:s0 +/sbin(/.*)? u:object_r:rootfs:s0 + +# For kernel modules +/lib(/.*)? u:object_r:rootfs:s0 + +# Empty directories +/lost\+found u:object_r:rootfs:s0 +/acct u:object_r:cgroup:s0 +/config u:object_r:rootfs:s0 +/mnt u:object_r:tmpfs:s0 +/postinstall u:object_r:postinstall_mnt_dir:s0 +/proc u:object_r:rootfs:s0 +/sys u:object_r:sysfs:s0 + +# Symlinks +/bin u:object_r:rootfs:s0 +/bugreports u:object_r:rootfs:s0 +/d u:object_r:rootfs:s0 +/etc u:object_r:rootfs:s0 +/sdcard u:object_r:rootfs:s0 + +# SELinux policy files +/vendor_file_contexts u:object_r:file_contexts_file:s0 +/nonplat_file_contexts u:object_r:file_contexts_file:s0 +/plat_file_contexts u:object_r:file_contexts_file:s0 +/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0 +/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0 +/plat_sepolicy\.cil u:object_r:sepolicy_file:s0 +/plat_property_contexts u:object_r:property_contexts_file:s0 +/nonplat_property_contexts u:object_r:property_contexts_file:s0 +/vendor_property_contexts u:object_r:property_contexts_file:s0 +/seapp_contexts u:object_r:seapp_contexts_file:s0 +/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0 +/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0 +/plat_seapp_contexts u:object_r:seapp_contexts_file:s0 +/sepolicy u:object_r:sepolicy_file:s0 +/plat_service_contexts u:object_r:service_contexts_file:s0 +/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0 +# Use nonplat_service_contexts_file to allow servicemanager to read it +# on non full-treble devices. +/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0 +/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/vndservice_contexts u:object_r:vndservice_contexts_file:s0 + +########################## +# Devices +# +/dev(/.*)? u:object_r:device:s0 +/dev/akm8973.* u:object_r:sensors_device:s0 +/dev/accelerometer u:object_r:sensors_device:s0 +/dev/adf[0-9]* u:object_r:graphics_device:s0 +/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0 +/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0 +/dev/alarm u:object_r:alarm_device:s0 +/dev/ashmem u:object_r:ashmem_device:s0 +/dev/audio.* u:object_r:audio_device:s0 +/dev/binder u:object_r:binder_device:s0 +/dev/block(/.*)? u:object_r:block_device:s0 +/dev/block/dm-[0-9]+ u:object_r:dm_device:s0 +/dev/block/loop[0-9]* u:object_r:loop_device:s0 +/dev/block/vold/.+ u:object_r:vold_device:s0 +/dev/block/ram[0-9]* u:object_r:ram_device:s0 +/dev/block/zram[0-9]* u:object_r:ram_device:s0 +/dev/bus/usb(.*)? u:object_r:usb_device:s0 +/dev/cam u:object_r:camera_device:s0 +/dev/console u:object_r:console_device:s0 +/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0 +/dev/memcg(/.*)? u:object_r:cgroup:s0 +/dev/device-mapper u:object_r:dm_device:s0 +/dev/eac u:object_r:audio_device:s0 +/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0 +/dev/fscklogs(/.*)? u:object_r:fscklogs:s0 +/dev/full u:object_r:full_device:s0 +/dev/fuse u:object_r:fuse_device:s0 +/dev/graphics(/.*)? u:object_r:graphics_device:s0 +/dev/hw_random u:object_r:hw_random_device:s0 +/dev/hwbinder u:object_r:hwbinder_device:s0 +/dev/i2c-[0-9]+ u:object_r:i2c_device:s0 +/dev/input(/.*)? u:object_r:input_device:s0 +/dev/iio:device[0-9]+ u:object_r:iio_device:s0 +/dev/ion u:object_r:ion_device:s0 +/dev/keychord u:object_r:keychord_device:s0 +/dev/kmem u:object_r:kmem_device:s0 +/dev/loop-control u:object_r:loop_control_device:s0 +/dev/mem u:object_r:kmem_device:s0 +/dev/modem.* u:object_r:radio_device:s0 +/dev/mtd(/.*)? u:object_r:mtd_device:s0 +/dev/mtp_usb u:object_r:mtp_device:s0 +/dev/pmsg0 u:object_r:pmsg_device:s0 +/dev/pn544 u:object_r:nfc_device:s0 +/dev/port u:object_r:port_device:s0 +/dev/ppp u:object_r:ppp_device:s0 +/dev/ptmx u:object_r:ptmx_device:s0 +/dev/pvrsrvkm u:object_r:gpu_device:s0 +/dev/kmsg u:object_r:kmsg_device:s0 +/dev/kmsg_debug u:object_r:kmsg_debug_device:s0 +/dev/null u:object_r:null_device:s0 +/dev/nvhdcp1 u:object_r:video_device:s0 +/dev/random u:object_r:random_device:s0 +/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0 +/dev/rproc_user u:object_r:rpmsg_device:s0 +/dev/rtc[0-9] u:object_r:rtc_device:s0 +/dev/snd(/.*)? u:object_r:audio_device:s0 +/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0 +/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0 +/dev/socket(/.*)? u:object_r:socket_device:s0 +/dev/socket/adbd u:object_r:adbd_socket:s0 +/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0 +/dev/socket/dumpstate u:object_r:dumpstate_socket:s0 +/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0 +/dev/socket/lmkd u:object_r:lmkd_socket:s0 +/dev/socket/logd u:object_r:logd_socket:s0 +/dev/socket/logdr u:object_r:logdr_socket:s0 +/dev/socket/logdw u:object_r:logdw_socket:s0 +/dev/socket/mdns u:object_r:mdns_socket:s0 +/dev/socket/mdnsd u:object_r:mdnsd_socket:s0 +/dev/socket/mtpd u:object_r:mtpd_socket:s0 +/dev/socket/netd u:object_r:netd_socket:s0 +/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0 +/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0 +/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0 +/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0 +/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0 +/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0 +/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0 +/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0 +/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0 +/dev/socket/property_service u:object_r:property_socket:s0 +/dev/socket/racoon u:object_r:racoon_socket:s0 +/dev/socket/rild u:object_r:rild_socket:s0 +/dev/socket/rild-debug u:object_r:rild_debug_socket:s0 +/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0 +/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0 +/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0 +/dev/socket/traced_producer u:object_r:traced_producer_socket:s0 +/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0 +/dev/socket/uncrypt u:object_r:uncrypt_socket:s0 +/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0 +/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0 +/dev/socket/zygote u:object_r:zygote_socket:s0 +/dev/socket/zygote_secondary u:object_r:zygote_socket:s0 +/dev/spdif_out.* u:object_r:audio_device:s0 +/dev/tegra.* u:object_r:video_device:s0 +/dev/tty u:object_r:owntty_device:s0 +/dev/tty[0-9]* u:object_r:tty_device:s0 +/dev/ttyS[0-9]* u:object_r:serial_device:s0 +/dev/tun u:object_r:tun_device:s0 +/dev/uhid u:object_r:uhid_device:s0 +/dev/uinput u:object_r:uhid_device:s0 +/dev/uio[0-9]* u:object_r:uio_device:s0 +/dev/urandom u:object_r:random_device:s0 +/dev/usb_accessory u:object_r:usbaccessory_device:s0 +/dev/v4l-touch[0-9]* u:object_r:input_device:s0 +/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0 +/dev/video[0-9]* u:object_r:video_device:s0 +/dev/vndbinder u:object_r:vndbinder_device:s0 +/dev/watchdog u:object_r:watchdog_device:s0 +/dev/xt_qtaguid u:object_r:qtaguid_device:s0 +/dev/zero u:object_r:zero_device:s0 +/dev/__properties__ u:object_r:properties_device:s0 +/dev/__properties__/property_info u:object_r:property_info:s0 +############################# +# System files +# +/system(/.*)? u:object_r:system_file:s0 +/system/bin/atrace u:object_r:atrace_exec:s0 +/system/bin/blank_screen u:object_r:blank_screen_exec:s0 +/system/bin/e2fsdroid u:object_r:e2fs_exec:s0 +/system/bin/mke2fs u:object_r:e2fs_exec:s0 +/system/bin/e2fsck -- u:object_r:fsck_exec:s0 +/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0 +/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0 +/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0 +/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0 +/system/bin/tune2fs -- u:object_r:fsck_exec:s0 +/system/bin/toolbox -- u:object_r:toolbox_exec:s0 +/system/bin/toybox -- u:object_r:toolbox_exec:s0 +/system/bin/logcat -- u:object_r:logcat_exec:s0 +/system/bin/logcatd -- u:object_r:logcat_exec:s0 +/system/bin/sh -- u:object_r:shell_exec:s0 +/system/bin/run-as -- u:object_r:runas_exec:s0 +/system/bin/bootanimation u:object_r:bootanim_exec:s0 +/system/bin/bootstat u:object_r:bootstat_exec:s0 +/system/bin/app_process32 u:object_r:zygote_exec:s0 +/system/bin/app_process64 u:object_r:zygote_exec:s0 +/system/bin/servicemanager u:object_r:servicemanager_exec:s0 +/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0 +/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0 +/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0 +/system/bin/performanced u:object_r:performanced_exec:s0 +/system/bin/drmserver u:object_r:drmserver_exec:s0 +/system/bin/dumpstate u:object_r:dumpstate_exec:s0 +/system/bin/incident u:object_r:incident_exec:s0 +/system/bin/incidentd u:object_r:incidentd_exec:s0 +/system/bin/incident_helper u:object_r:incident_helper_exec:s0 +/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0 +/system/bin/vold u:object_r:vold_exec:s0 +/system/bin/netd u:object_r:netd_exec:s0 +/system/bin/wificond u:object_r:wificond_exec:s0 +/system/bin/audioserver u:object_r:audioserver_exec:s0 +/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0 +/system/bin/mediaserver u:object_r:mediaserver_exec:s0 +/system/bin/mediametrics u:object_r:mediametrics_exec:s0 +/system/bin/cameraserver u:object_r:cameraserver_exec:s0 +/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0 +/system/bin/mdnsd u:object_r:mdnsd_exec:s0 +/system/bin/installd u:object_r:installd_exec:s0 +/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0 +/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0 +/system/bin/keystore u:object_r:keystore_exec:s0 +/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0 +/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0 +/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0 +/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0 +/system/bin/tombstoned u:object_r:tombstoned_exec:s0 +/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0 +/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0 +/system/bin/sdcard u:object_r:sdcardd_exec:s0 +/system/bin/dhcpcd u:object_r:dhcp_exec:s0 +/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0 +/system/bin/mtpd u:object_r:mtp_exec:s0 +/system/bin/pppd u:object_r:ppp_exec:s0 +/system/bin/racoon u:object_r:racoon_exec:s0 +/system/xbin/su u:object_r:su_exec:s0 +/system/bin/perfprofd u:object_r:perfprofd_exec:s0 +/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0 +/system/bin/healthd u:object_r:healthd_exec:s0 +/system/bin/clatd u:object_r:clatd_exec:s0 +/system/bin/lmkd u:object_r:lmkd_exec:s0 +/system/bin/usbd u:object_r:usbd_exec:s0 +/system/bin/inputflinger u:object_r:inputflinger_exec:s0 +/system/bin/logd u:object_r:logd_exec:s0 +/system/bin/perfetto u:object_r:perfetto_exec:s0 +/system/bin/traced u:object_r:traced_exec:s0 +/system/bin/traced_probes u:object_r:traced_probes_exec:s0 +/system/bin/uncrypt u:object_r:uncrypt_exec:s0 +/system/bin/update_verifier u:object_r:update_verifier_exec:s0 +/system/bin/logwrapper u:object_r:system_file:s0 +/system/bin/vdc u:object_r:vdc_exec:s0 +/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0 +/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0 +/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0 +/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0 +/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0 +# patchoat executable has (essentially) the same requirements as dex2oat. +/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0 +/system/bin/profman(d)? u:object_r:profman_exec:s0 +/system/bin/sgdisk u:object_r:sgdisk_exec:s0 +/system/bin/blkid u:object_r:blkid_exec:s0 +/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0 +/system/bin/idmap u:object_r:idmap_exec:s0 +/system/bin/update_engine u:object_r:update_engine_exec:s0 +/system/bin/bspatch u:object_r:update_engine_exec:s0 +/system/bin/storaged u:object_r:storaged_exec:s0 +/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0 +/system/bin/wpantund u:object_r:wpantund_exec:s0 +/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0 +/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0 +/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0 +/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0 +/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0 +/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0 +/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0 +/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0 +/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0 +/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0 +/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0 +/system/bin/adbd u:object_r:adbd_exec:s0 +/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0 +/system/bin/stats u:object_r:stats_exec:s0 +/system/bin/statsd u:object_r:statsd_exec:s0 +/system/bin/bpfloader u:object_r:bpfloader_exec:s0 + +############################# +# Vendor files +# +/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0 +/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0 +/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0 +/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0 +/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0 + +/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0 + +/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0 + +/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0 +/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0 +/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0 +/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0 +/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0 +/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0 +/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0 + +# HAL location +/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0 + +############################# +# OEM and ODM files +# +/(odm|vendor/odm)(/.*)? u:object_r:vendor_file:s0 +/(odm|vendor/odm)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0 +/(odm|vendor/odm)/lib(64)?/hw u:object_r:vendor_hal_file:s0 +/(odm|vendor/odm)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0 +/(odm|vendor/odm)/bin/sh u:object_r:vendor_shell_exec:s0 +/(odm|vendor/odm)/etc(/.*)? u:object_r:vendor_configs_file:s0 +/(odm|vendor/odm)/app(/.*)? u:object_r:vendor_app_file:s0 +/(odm|vendor/odm)/priv-app(/.*)? u:object_r:vendor_app_file:s0 +/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0 +/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0 + +/oem(/.*)? u:object_r:oemfs:s0 + +# The precompiled monolithic sepolicy will be under /odm only when +# BOARD_USES_ODMIMAGE is true: a separate odm.img is built. +/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0 +/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0 + +/(odm|vendor/odm)/etc/selinux/odm_sepolicy.cil u:object_r:sepolicy_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0 +/(odm|vendor/odm)/etc/selinux/odm_mac_permissions.xml u:object_r:mac_perms_file:s0 + +############################# +# Product files +# +/(product|system/product)(/.*)? u:object_r:system_file:s0 + +############################# +# Data files +# +# NOTE: When modifying existing label rules, changes may also need to +# propagate to the "Expanded data files" section. +# +/data(/.*)? u:object_r:system_data_file:s0 +/data/.layout_version u:object_r:install_data_file:s0 +/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0 +/data/backup(/.*)? u:object_r:backup_data_file:s0 +/data/secure/backup(/.*)? u:object_r:backup_data_file:s0 +/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0 +/data/drm(/.*)? u:object_r:drm_data_file:s0 +/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0 +/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0 +/data/ota(/.*)? u:object_r:ota_data_file:s0 +/data/ota_package(/.*)? u:object_r:ota_package_file:s0 +/data/adb(/.*)? u:object_r:adb_data_file:s0 +/data/anr(/.*)? u:object_r:anr_data_file:s0 +/data/app(/.*)? u:object_r:apk_data_file:s0 +/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0 +/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/data/app-private(/.*)? u:object_r:apk_private_data_file:s0 +/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0 +/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0 +/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0 +/data/local/tmp(/.*)? u:object_r:shell_data_file:s0 +/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0 +/data/local/traces(/.*)? u:object_r:trace_data_file:s0 +/data/media(/.*)? u:object_r:media_rw_data_file:s0 +/data/mediadrm(/.*)? u:object_r:media_data_file:s0 +/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0 +/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0 +/data/property(/.*)? u:object_r:property_data_file:s0 +/data/preloads(/.*)? u:object_r:preloads_data_file:s0 +/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0 +/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0 + +# Misc data +/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0 +/data/misc/audio(/.*)? u:object_r:audio_data_file:s0 +/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0 +/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0 +/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0 +/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0 +/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 +/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0 +/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0 +/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0 +/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0 +/data/misc/camera(/.*)? u:object_r:camera_data_file:s0 +/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0 +/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0 +/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0 +/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0 +/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0 +/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0 +/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0 +/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0 +/data/misc/media(/.*)? u:object_r:media_data_file:s0 +/data/misc/net(/.*)? u:object_r:net_data_file:s0 +/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0 +/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0 +/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0 +/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0 +/data/misc/sms(/.*)? u:object_r:radio_data_file:s0 +/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0 +/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0 +/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0 +/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0 +/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0 +/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0 +/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0 +/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0 +/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0 +/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0 +/data/misc/vold(/.*)? u:object_r:vold_data_file:s0 +/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0 +/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0 +/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0 +/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0 +/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0 +/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0 +# TODO(calin) label profile reference differently so that only +# profman run as a special user can write to them +/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0 +/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0 +/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0 +/data/vendor(/.*)? u:object_r:vendor_data_file:s0 +/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0 +/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0 + +# storaged proto files +/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0 +/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0 + +# Fingerprint data +/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0 + +# Fingerprint vendor data file +/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0 + +# Bootchart data +/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0 + +############################# +# Expanded data files +# +/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0 +/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0 +/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0 +/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0 +/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0 +/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0 +/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0 + +# coredump directory for userdebug/eng devices +/cores(/.*)? u:object_r:coredump_file:s0 + +# Wallpaper files +/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0 +/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0 +/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0 +/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0 + +# Ringtone files +/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0 + +# ShortcutManager icons, e.g. +# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png +/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0 + +# User icon files +/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0 + +# vold per-user data +/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0 +/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0 + +############################# +# efs files +# +/efs(/.*)? u:object_r:efs_file:s0 + +############################# +# Cache files +# +/cache(/.*)? u:object_r:cache_file:s0 +/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0 +# General backup/restore interchange with apps +/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0 +# LocalTransport (backup) uses this subtree +/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0 + +/data/cache(/.*)? u:object_r:cache_file:s0 +/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0 +# General backup/restore interchange with apps +/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0 +# LocalTransport (backup) uses this subtree +/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0 + +############################# +# asec containers +/mnt/asec(/.*)? u:object_r:asec_apk_file:s0 +/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0 +/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0 +/data/app-asec(/.*)? u:object_r:asec_image_file:s0 + +############################# +# external storage +/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0 +/mnt/user(/.*)? u:object_r:mnt_user_file:s0 +/mnt/runtime(/.*)? u:object_r:storage_file:s0 +/storage(/.*)? u:object_r:storage_file:s0 diff --git a/prebuilts/api/28.0/private/file_contexts_asan b/prebuilts/api/28.0/private/file_contexts_asan new file mode 100644 index 000000000..17ee9d795 --- /dev/null +++ b/prebuilts/api/28.0/private/file_contexts_asan @@ -0,0 +1,11 @@ +/data/asan/system/lib(/.*)? u:object_r:system_file:s0 +/data/asan/system/lib64(/.*)? u:object_r:system_file:s0 +/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0 +/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0 +/data/asan/odm/lib(/.*)? u:object_r:system_file:s0 +/data/asan/odm/lib64(/.*)? u:object_r:system_file:s0 +/system/bin/asan_extract u:object_r:asan_extract_exec:s0 +/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0 +/system/bin/asan/app_process u:object_r:zygote_exec:s0 +/system/bin/asan/app_process32 u:object_r:zygote_exec:s0 +/system/bin/asan/app_process64 u:object_r:zygote_exec:s0 diff --git a/prebuilts/api/28.0/private/fingerprintd.te b/prebuilts/api/28.0/private/fingerprintd.te new file mode 100644 index 000000000..eb73ef8cc --- /dev/null +++ b/prebuilts/api/28.0/private/fingerprintd.te @@ -0,0 +1,3 @@ +typeattribute fingerprintd coredomain; + +init_daemon_domain(fingerprintd) diff --git a/prebuilts/api/28.0/private/fs_use b/prebuilts/api/28.0/private/fs_use new file mode 100644 index 000000000..4bd11126e --- /dev/null +++ b/prebuilts/api/28.0/private/fs_use @@ -0,0 +1,23 @@ +# Label inodes via getxattr. +fs_use_xattr yaffs2 u:object_r:labeledfs:s0; +fs_use_xattr jffs2 u:object_r:labeledfs:s0; +fs_use_xattr ext2 u:object_r:labeledfs:s0; +fs_use_xattr ext3 u:object_r:labeledfs:s0; +fs_use_xattr ext4 u:object_r:labeledfs:s0; +fs_use_xattr xfs u:object_r:labeledfs:s0; +fs_use_xattr btrfs u:object_r:labeledfs:s0; +fs_use_xattr f2fs u:object_r:labeledfs:s0; +fs_use_xattr squashfs u:object_r:labeledfs:s0; + +# Label inodes from task label. +fs_use_task pipefs u:object_r:pipefs:s0; +fs_use_task sockfs u:object_r:sockfs:s0; + +# Label inodes from combination of task label and fs label. +# Define type_transition rules if you want per-domain types. +fs_use_trans devpts u:object_r:devpts:s0; +fs_use_trans tmpfs u:object_r:tmpfs:s0; +fs_use_trans devtmpfs u:object_r:device:s0; +fs_use_trans shm u:object_r:shm:s0; +fs_use_trans mqueue u:object_r:mqueue:s0; + diff --git a/prebuilts/api/28.0/private/fsck.te b/prebuilts/api/28.0/private/fsck.te new file mode 100644 index 000000000..f8e09b645 --- /dev/null +++ b/prebuilts/api/28.0/private/fsck.te @@ -0,0 +1,5 @@ +typeattribute fsck coredomain; + +init_daemon_domain(fsck) + +allow fsck metadata_block_device:blk_file rw_file_perms; diff --git a/prebuilts/api/28.0/private/fsck_untrusted.te b/prebuilts/api/28.0/private/fsck_untrusted.te new file mode 100644 index 000000000..9a57bf027 --- /dev/null +++ b/prebuilts/api/28.0/private/fsck_untrusted.te @@ -0,0 +1 @@ +typeattribute fsck_untrusted coredomain; diff --git a/prebuilts/api/28.0/private/gatekeeperd.te b/prebuilts/api/28.0/private/gatekeeperd.te new file mode 100644 index 000000000..5e4d0a2e9 --- /dev/null +++ b/prebuilts/api/28.0/private/gatekeeperd.te @@ -0,0 +1,3 @@ +typeattribute gatekeeperd coredomain; + +init_daemon_domain(gatekeeperd) diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts new file mode 100644 index 000000000..c261afa9e --- /dev/null +++ b/prebuilts/api/28.0/private/genfs_contexts @@ -0,0 +1,241 @@ +# Label inodes with the fs label. +genfscon rootfs / u:object_r:rootfs:s0 +# proc labeling can be further refined (longest matching prefix). +genfscon proc / u:object_r:proc:s0 +genfscon proc /asound u:object_r:proc_asound:s0 +genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0 +genfscon proc /cmdline u:object_r:proc_cmdline:s0 +genfscon proc /config.gz u:object_r:config_gz:s0 +genfscon proc /diskstats u:object_r:proc_diskstats:s0 +genfscon proc /filesystems u:object_r:proc_filesystems:s0 +genfscon proc /interrupts u:object_r:proc_interrupts:s0 +genfscon proc /iomem u:object_r:proc_iomem:s0 +genfscon proc /kmsg u:object_r:proc_kmsg:s0 +genfscon proc /loadavg u:object_r:proc_loadavg:s0 +genfscon proc /meminfo u:object_r:proc_meminfo:s0 +genfscon proc /misc u:object_r:proc_misc:s0 +genfscon proc /modules u:object_r:proc_modules:s0 +genfscon proc /mounts u:object_r:proc_mounts:s0 +genfscon proc /net u:object_r:proc_net:s0 +genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 +genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0 +genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 +genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0 +genfscon proc /softirqs u:object_r:proc_timer:s0 +genfscon proc /stat u:object_r:proc_stat:s0 +genfscon proc /swaps u:object_r:proc_swaps:s0 +genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0 +genfscon proc /sys/abi/swp u:object_r:proc_abi:s0 +genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0 +genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 +genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 +genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 +genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0 +genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0 +genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0 +genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/hung_task_timeout_secs u:object_r:proc_hung_task:s0 +genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0 +genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0 +genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0 +genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0 +genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0 +genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0 +genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/random u:object_r:proc_random:s0 +genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 +genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0 +genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 +genfscon proc /sys/net u:object_r:proc_net:s0 +genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 +genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0 +genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0 +genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 +genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0 +genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0 +genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0 +genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0 +genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0 +genfscon proc /timer_list u:object_r:proc_timer:s0 +genfscon proc /timer_stats u:object_r:proc_timer:s0 +genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0 +genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0 +genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0 +genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0 +genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0 +genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0 +genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0 +genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0 +genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0 +genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0 +genfscon proc /uptime u:object_r:proc_uptime:s0 +genfscon proc /version u:object_r:proc_version:s0 +genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0 +genfscon proc /vmstat u:object_r:proc_vmstat:s0 +genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0 + +# selinuxfs booleans can be individually labeled. +genfscon selinuxfs / u:object_r:selinuxfs:s0 +genfscon cgroup / u:object_r:cgroup:s0 +genfscon cgroup2 / u:object_r:cgroup_bpf:s0 +# sysfs labels can be set by userspace. +genfscon sysfs / u:object_r:sysfs:s0 +genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 +genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0 +genfscon sysfs /class/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /class/net u:object_r:sysfs_net:s0 +genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /class/switch u:object_r:sysfs_switch:s0 +genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0 +genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0 +genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0 +genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0 +genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0 +genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0 +genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0 +genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0 +genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0 +genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0 +genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0 +genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0 +genfscon sysfs /power/state u:object_r:sysfs_power:s0 +genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0 +genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0 +genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0 +genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0 +genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0 +genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0 +genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0 +genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0 +genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0 +genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0 +genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0 + +genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0 +genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs / u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0 +genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0 +genfscon tracefs /trace u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0 +genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0 + +genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0 +genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0 +genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0 +genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0 +genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0 +genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0 +genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0 + +genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0 + +genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0 + +genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0 +genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0 +genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0 +genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0 +genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0 + +genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0 + +genfscon inotifyfs / u:object_r:inotify:s0 +genfscon vfat / u:object_r:vfat:s0 +genfscon debugfs / u:object_r:debugfs:s0 +genfscon fuse / u:object_r:fuse:s0 +genfscon configfs / u:object_r:configfs:s0 +genfscon sdcardfs / u:object_r:sdcardfs:s0 +genfscon esdfs / u:object_r:sdcardfs:s0 +genfscon pstore / u:object_r:pstorefs:s0 +genfscon functionfs / u:object_r:functionfs:s0 +genfscon usbfs / u:object_r:usbfs:s0 +genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0 +genfscon bpf / u:object_r:fs_bpf:s0 diff --git a/prebuilts/api/28.0/private/hal_allocator_default.te b/prebuilts/api/28.0/private/hal_allocator_default.te new file mode 100644 index 000000000..49ef1781b --- /dev/null +++ b/prebuilts/api/28.0/private/hal_allocator_default.te @@ -0,0 +1,5 @@ +type hal_allocator_default, domain, coredomain; +hal_server_domain(hal_allocator_default, hal_allocator) + +type hal_allocator_default_exec, exec_type, file_type; +init_daemon_domain(hal_allocator_default) diff --git a/prebuilts/api/28.0/private/halclientdomain.te b/prebuilts/api/28.0/private/halclientdomain.te new file mode 100644 index 000000000..9dcd3ee38 --- /dev/null +++ b/prebuilts/api/28.0/private/halclientdomain.te @@ -0,0 +1,13 @@ +### +### Rules for all domains which are clients of a HAL +### + +# Find out whether a HAL in passthrough/in-process mode or +# binderized/out-of-process mode +hwbinder_use(halclientdomain) + +# Used to wait for hwservicemanager +get_prop(halclientdomain, hwservicemanager_prop) + +# Wait for HAL server to be up (used by getService) +allow halclientdomain hidl_manager_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/private/halserverdomain.te b/prebuilts/api/28.0/private/halserverdomain.te new file mode 100644 index 000000000..f36e0e7d8 --- /dev/null +++ b/prebuilts/api/28.0/private/halserverdomain.te @@ -0,0 +1,12 @@ +### +### Rules for all domains which offer a HAL service over HwBinder +### + +# Register the HAL service with hwservicemanager +hwbinder_use(halserverdomain) + +# Find HAL implementations +allow halserverdomain system_file:dir r_dir_perms; + +# Used to wait for hwservicemanager +get_prop(halserverdomain, hwservicemanager_prop) diff --git a/prebuilts/api/28.0/private/healthd.te b/prebuilts/api/28.0/private/healthd.te new file mode 100644 index 000000000..20d079173 --- /dev/null +++ b/prebuilts/api/28.0/private/healthd.te @@ -0,0 +1,6 @@ +typeattribute healthd coredomain; + +init_daemon_domain(healthd) + +# Allow healthd to serve health HAL +hal_server_domain(healthd, hal_health) diff --git a/prebuilts/api/28.0/private/hwservice_contexts b/prebuilts/api/28.0/private/hwservice_contexts new file mode 100644 index 000000000..998bf2fea --- /dev/null +++ b/prebuilts/api/28.0/private/hwservice_contexts @@ -0,0 +1,68 @@ +android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0 +android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0 +android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0 +android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0 +android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0 +android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0 +android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 +android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0 +android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0 +android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0 +android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0 +android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0 +android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0 +android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 +android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0 +android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0 +android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0 +android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0 +android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0 +android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0 +android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0 +android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0 +android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0 +android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0 +android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0 +android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0 +android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0 +android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0 +android.hardware.light::ILight u:object_r:hal_light_hwservice:s0 +android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0 +android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0 +android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0 +android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0 +android.hardware.neuralnetworks::IDevice u:object_r:hal_neuralnetworks_hwservice:s0 +android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0 +android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0 +android.hardware.power::IPower u:object_r:hal_power_hwservice:s0 +android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0 +android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0 +android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0 +android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0 +android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0 +android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0 +android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0 +android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0 +android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0 +android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0 +android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0 +android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0 +android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0 +android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0 +android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0 +android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0 +android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0 +android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0 +android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0 +android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0 +android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0 +android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0 +android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0 +android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0 +android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0 +android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0 +android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0 +android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0 +android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0 +android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0 +* u:object_r:default_android_hwservice:s0 diff --git a/prebuilts/api/28.0/private/hwservicemanager.te b/prebuilts/api/28.0/private/hwservicemanager.te new file mode 100644 index 000000000..f56e0c61d --- /dev/null +++ b/prebuilts/api/28.0/private/hwservicemanager.te @@ -0,0 +1,8 @@ +typeattribute hwservicemanager coredomain; + +init_daemon_domain(hwservicemanager) + +add_hwservice(hwservicemanager, hidl_manager_hwservice) +add_hwservice(hwservicemanager, hidl_token_hwservice) + +set_prop(hwservicemanager, ctl_default_prop) diff --git a/prebuilts/api/28.0/private/idmap.te b/prebuilts/api/28.0/private/idmap.te new file mode 100644 index 000000000..73abf3552 --- /dev/null +++ b/prebuilts/api/28.0/private/idmap.te @@ -0,0 +1 @@ +typeattribute idmap coredomain; diff --git a/prebuilts/api/28.0/private/incident.te b/prebuilts/api/28.0/private/incident.te new file mode 100644 index 000000000..1844898ea --- /dev/null +++ b/prebuilts/api/28.0/private/incident.te @@ -0,0 +1,30 @@ +typeattribute incident coredomain; + +type incident_exec, exec_type, file_type; + +# switch to incident domain for incident command +domain_auto_trans(shell, incident_exec, incident) + +# allow incident access to stdout from its parent shell. +allow incident shell:fd use; + +# allow incident be able to output data for CTS to fetch. +allow incident devpts:chr_file { read write }; + +# allow incident to communicate use, read and write over the adb +# connection. +allow incident adbd:fd use; +allow incident adbd:unix_stream_socket { read write }; + +# allow adbd to reap incident +allow incident adbd:process { sigchld }; + +# Allow the incident command to talk to the incidentd over the binder, and get +# back the incident report data from a ParcelFileDescriptor. +binder_use(incident) +allow incident incident_service:service_manager find; +binder_call(incident, incidentd) +allow incident incidentd:fifo_file write; + +# only allow incident being called by shell +neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans }; diff --git a/prebuilts/api/28.0/private/incident_helper.te b/prebuilts/api/28.0/private/incident_helper.te new file mode 100644 index 000000000..e1e3fc826 --- /dev/null +++ b/prebuilts/api/28.0/private/incident_helper.te @@ -0,0 +1,14 @@ +typeattribute incident_helper coredomain; + +type incident_helper_exec, exec_type, file_type; + +# switch to incident_helper domain for incident_helper command +domain_auto_trans(incidentd, incident_helper_exec, incident_helper) + +# use pipe to transmit data from/to incidentd/incident_helper for parsing +allow incident_helper { shell incident incidentd }:fd use; +allow incident_helper { shell incident incidentd }:fifo_file { getattr read write }; +allow incident_helper incidentd:unix_stream_socket { read write }; + +# only allow incidentd and shell to call incident_helper +neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans }; diff --git a/prebuilts/api/28.0/private/incidentd.te b/prebuilts/api/28.0/private/incidentd.te new file mode 100644 index 000000000..6b248f181 --- /dev/null +++ b/prebuilts/api/28.0/private/incidentd.te @@ -0,0 +1,166 @@ +typeattribute incidentd coredomain; +typeattribute incidentd mlstrustedsubject; + +init_daemon_domain(incidentd) +type incidentd_exec, exec_type, file_type; +binder_use(incidentd) +wakelock_use(incidentd) + +# Allow incidentd to scan through /proc/pid for all processes +r_dir_file(incidentd, domain) + +# Allow incidentd to kill incident_helper when timeout +allow incidentd incident_helper:process sigkill; + +# Allow executing files on system, such as: +# /system/bin/toolbox +# /system/bin/logcat +# /system/bin/dumpsys +allow incidentd system_file:file execute_no_trans; +allow incidentd toolbox_exec:file rx_file_perms; + +# section id 2001, allow reading /proc/pagetypeinfo +allow incidentd proc_pagetypeinfo:file r_file_perms; + +# section id 2002, allow reading /d/wakeup_sources +allow incidentd debugfs_wakeup_sources:file r_file_perms; + +# section id 2003, allow executing top +allow incidentd proc_meminfo:file { open read }; + +# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state +allow incidentd sysfs_devices_system_cpu:file r_file_perms; + +# section id 2005, allow reading ps dump in full +allow incidentd domain:process getattr; + +# section id 2006, allow reading /sys/class/power_supply/bms/battery_type +allow incidentd sysfs_batteryinfo:dir { search }; +allow incidentd sysfs_batteryinfo:file r_file_perms; + +# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops +userdebug_or_eng(`allow incidentd pstorefs:dir search'); +userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms'); + +# Create and write into /data/misc/incidents +allow incidentd incident_data_file:dir rw_dir_perms; +allow incidentd incident_data_file:file create_file_perms; + +# Enable incidentd to get stack traces. +binder_use(incidentd) +hwbinder_use(incidentd) +allow incidentd hwservicemanager:hwservice_manager { list }; +get_prop(incidentd, hwservicemanager_prop) +allow incidentd hidl_manager_hwservice:hwservice_manager { find }; + +# Read files in /proc +allow incidentd { + proc_cmdline + proc_pipe_conf + proc_stat +}:file r_file_perms; + +# Signal java processes to dump their stack and get the results +allow incidentd { appdomain ephemeral_app system_server }:process signal; + +# Signal native processes to dump their stack. +# This list comes from native_processes_to_dump in incidentd/utils.c +allow incidentd { + # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp + audioserver + cameraserver + drmserver + inputflinger + mediadrmserver + mediaextractor + mediametrics + mediaserver + sdcardd + statsd + surfaceflinger + + # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp + hal_audio_server + hal_bluetooth_server + hal_camera_server + hal_graphics_composer_server + hal_sensors_server + hal_vr_server + mediacodec # TODO(b/36375899): hal_omx_server +}:process signal; + +# Allow incidentd to make binder calls to any binder service +binder_call(incidentd, system_server) +binder_call(incidentd, appdomain) + +# Reading /proc/PID/maps of other processes +userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }'); +# incidentd has capability sys_ptrace, but should only use that capability for +# accessing sensitive /proc/PID files, never for using ptrace attach. +neverallow incidentd *:process ptrace; + +allow incidentd self:global_capability_class_set { + # Send signals to processes + kill +}; + +# Connect to tombstoned to intercept dumps. +unix_socket_connect(incidentd, tombstoned_intercept, tombstoned) + +# Run a shell. +allow incidentd shell_exec:file rx_file_perms; + +# logd access - work to be done is a PII safe log (possibly an event log?) +userdebug_or_eng(`read_logd(incidentd)') +# TODO control_logd(incidentd) + +# Allow incidentd to find these standard groups of services. +# Others can be whitelisted individually. +allow incidentd { + system_server_service + app_api_service + system_api_service +}:service_manager find; + +# Only incidentd can publish the binder service +add_service(incidentd, incident_service) + +# Allow pipes from (and only from) incident +allow incidentd incident:fd use; +allow incidentd incident:fifo_file write; + +# Allow incident to call back to incident with status updates. +binder_call(incidentd, incident) + +### +### neverallow rules +### + +# only system_server, system_app and incident command can find the incident service +neverallow { + domain + -incident + -incidentd + -statsd + -system_app + -system_server +} incident_service:service_manager find; + +# only incidentd and the other root services in limited circumstances +# can get to the files in /data/misc/incidents +# +# write, execute, append are forbidden almost everywhere +neverallow { domain -incidentd -init -vold } incident_data_file:file { + w_file_perms + x_file_perms + create + rename + setattr + unlink + append +}; +# read is also allowed by system_server, for when the file is handed to dropbox +neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms; +# limited access to the directory itself +neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms; + diff --git a/prebuilts/api/28.0/private/init.te b/prebuilts/api/28.0/private/init.te new file mode 100644 index 000000000..e9959d3d2 --- /dev/null +++ b/prebuilts/api/28.0/private/init.te @@ -0,0 +1,22 @@ +typeattribute init coredomain; + +tmpfs_domain(init) + +# Transitions to seclabel processes in init.rc +domain_trans(init, rootfs, charger) +domain_trans(init, rootfs, healthd) +domain_trans(init, rootfs, slideshow) +domain_auto_trans(init, e2fs_exec, e2fs) +recovery_only(` + domain_trans(init, rootfs, adbd) + domain_trans(init, rootfs, recovery) +') +domain_trans(init, shell_exec, shell) +domain_trans(init, init_exec, ueventd) +domain_trans(init, init_exec, watchdogd) +domain_trans(init, init_exec, vendor_init) +domain_trans(init, { rootfs toolbox_exec }, modprobe) +# case where logpersistd is actually logcat -f in logd context (nee: logcatd) +userdebug_or_eng(` + domain_auto_trans(init, logcat_exec, logpersist) +') diff --git a/prebuilts/api/28.0/private/initial_sid_contexts b/prebuilts/api/28.0/private/initial_sid_contexts new file mode 100644 index 000000000..98190510f --- /dev/null +++ b/prebuilts/api/28.0/private/initial_sid_contexts @@ -0,0 +1,27 @@ +sid kernel u:r:kernel:s0 +sid security u:object_r:kernel:s0 +sid unlabeled u:object_r:unlabeled:s0 +sid fs u:object_r:labeledfs:s0 +sid file u:object_r:unlabeled:s0 +sid file_labels u:object_r:unlabeled:s0 +sid init u:object_r:unlabeled:s0 +sid any_socket u:object_r:unlabeled:s0 +sid port u:object_r:port:s0 +sid netif u:object_r:netif:s0 +sid netmsg u:object_r:unlabeled:s0 +sid node u:object_r:node:s0 +sid igmp_packet u:object_r:unlabeled:s0 +sid icmp_socket u:object_r:unlabeled:s0 +sid tcp_socket u:object_r:unlabeled:s0 +sid sysctl_modprobe u:object_r:unlabeled:s0 +sid sysctl u:object_r:proc:s0 +sid sysctl_fs u:object_r:unlabeled:s0 +sid sysctl_kernel u:object_r:unlabeled:s0 +sid sysctl_net u:object_r:unlabeled:s0 +sid sysctl_net_unix u:object_r:unlabeled:s0 +sid sysctl_vm u:object_r:unlabeled:s0 +sid sysctl_dev u:object_r:unlabeled:s0 +sid kmod u:object_r:unlabeled:s0 +sid policy u:object_r:unlabeled:s0 +sid scmp_packet u:object_r:unlabeled:s0 +sid devnull u:object_r:null_device:s0 diff --git a/prebuilts/api/28.0/private/initial_sids b/prebuilts/api/28.0/private/initial_sids new file mode 100644 index 000000000..91ac816ba --- /dev/null +++ b/prebuilts/api/28.0/private/initial_sids @@ -0,0 +1,35 @@ +# FLASK + +# +# Define initial security identifiers +# + +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull + +# FLASK diff --git a/prebuilts/api/28.0/private/inputflinger.te b/prebuilts/api/28.0/private/inputflinger.te new file mode 100644 index 000000000..9696b491b --- /dev/null +++ b/prebuilts/api/28.0/private/inputflinger.te @@ -0,0 +1,3 @@ +typeattribute inputflinger coredomain; + +init_daemon_domain(inputflinger) diff --git a/prebuilts/api/28.0/private/install_recovery.te b/prebuilts/api/28.0/private/install_recovery.te new file mode 100644 index 000000000..b79d683a6 --- /dev/null +++ b/prebuilts/api/28.0/private/install_recovery.te @@ -0,0 +1,3 @@ +typeattribute install_recovery coredomain; + +init_daemon_domain(install_recovery) diff --git a/prebuilts/api/28.0/private/installd.te b/prebuilts/api/28.0/private/installd.te new file mode 100644 index 000000000..055371631 --- /dev/null +++ b/prebuilts/api/28.0/private/installd.te @@ -0,0 +1,22 @@ +typeattribute installd coredomain; + +init_daemon_domain(installd) + +# Run dex2oat in its own sandbox. +domain_auto_trans(installd, dex2oat_exec, dex2oat) + +# Run dexoptanalyzer in its own sandbox. +domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer) + +# Run profman in its own sandbox. +domain_auto_trans(installd, profman_exec, profman) + +# Run idmap in its own sandbox. +domain_auto_trans(installd, idmap_exec, idmap) + +# Create /data/.layout_version.* file +type_transition installd system_data_file:file install_data_file; + +# For collecting bugreports. +allow installd dumpstate:fd use; +allow installd dumpstate:fifo_file r_file_perms; diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te new file mode 100644 index 000000000..a6276b38c --- /dev/null +++ b/prebuilts/api/28.0/private/isolated_app.te @@ -0,0 +1,119 @@ +### +### Services with isolatedProcess=true in their manifest. +### +### This file defines the rules for isolated apps. An "isolated +### app" is an APP with UID between AID_ISOLATED_START (99000) +### and AID_ISOLATED_END (99999). +### + +typeattribute isolated_app coredomain; + +app_domain(isolated_app) + +# Access already open app data files received over Binder or local socket IPC. +allow isolated_app app_data_file:file { append read write getattr lock }; + +allow isolated_app activity_service:service_manager find; +allow isolated_app display_service:service_manager find; +allow isolated_app webviewupdate_service:service_manager find; + +# Google Breakpad (crash reporter for Chrome) relies on ptrace +# functionality. Without the ability to ptrace, the crash reporter +# tool is broken. +# b/20150694 +# https://code.google.com/p/chromium/issues/detail?id=475270 +allow isolated_app self:process ptrace; + +# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps +# by other processes. Open should never be allowed, and is blocked by +# neverallow rules below. +# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs +# is modified to change the secontext when accessing the lower filesystem. +allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock }; + +# For webviews, isolated_app processes can be forked from the webview_zygote +# in addition to the zygote. Allow access to resources inherited from the +# webview_zygote process. These rules are specialized copies of the ones in app.te. +# Inherit FDs from the webview_zygote. +allow isolated_app webview_zygote:fd use; +# Notify webview_zygote of child death. +allow isolated_app webview_zygote:process sigchld; +# Inherit logd write socket. +allow isolated_app webview_zygote:unix_dgram_socket write; +# Read system properties managed by webview_zygote. +allow isolated_app webview_zygote_tmpfs:file read; + +# TODO (b/63631799) fix this access +# suppress denials to /data/local/tmp +dontaudit isolated_app shell_data_file:dir search; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +allow isolated_app traced:fd use; +allow isolated_app traced_tmpfs:file { read write getattr map }; +unix_socket_connect(isolated_app, traced_producer, traced) + +##### +##### Neverallow +##### + +# Do not allow isolated_app to directly open tun_device +neverallow isolated_app tun_device:chr_file open; + +# Isolated apps should not directly open app data files themselves. +neverallow isolated_app app_data_file:file open; + +# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) +# TODO: are there situations where isolated_apps write to this file? +# TODO: should we tighten these restrictions further? +neverallow isolated_app anr_data_file:file ~{ open append }; +neverallow isolated_app anr_data_file:dir ~search; + +# Isolated apps must not be permitted to use HwBinder +neverallow isolated_app hwbinder_device:chr_file *; +neverallow isolated_app *:hwservice_manager *; + +# Isolated apps must not be permitted to use VndBinder +neverallow isolated_app vndbinder_device:chr_file *; + +# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager +# except the find actions for services whitelisted below. +neverallow isolated_app *:service_manager ~find; + +# b/17487348 +# Isolated apps can only access three services, +# activity_service, display_service and webviewupdate_service. +neverallow isolated_app { + service_manager_type + -activity_service + -display_service + -webviewupdate_service +}:service_manager find; + +# Isolated apps shouldn't be able to access the driver directly. +neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; + +# Do not allow isolated_app access to /cache +neverallow isolated_app cache_file:dir ~{ r_dir_perms }; +neverallow isolated_app cache_file:file ~{ read getattr }; + +# Do not allow isolated_app to access external storage, except for files passed +# via file descriptors (b/32896414). +neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr; +neverallow isolated_app { storage_file mnt_user_file }:file_class_set *; +neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *; +neverallow isolated_app sdcard_type:file ~{ read write append getattr lock }; + +# Do not allow USB access +neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; + +# Restrict the webview_zygote control socket. +neverallow isolated_app webview_zygote:sock_file write; + +# Limit the /sys files which isolated_app can access. This is important +# for controlling isolated_app attack surface. +neverallow isolated_app { + sysfs_type + -sysfs_devices_system_cpu + -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852) +}:file no_rw_file_perms; diff --git a/prebuilts/api/28.0/private/kernel.te b/prebuilts/api/28.0/private/kernel.te new file mode 100644 index 000000000..a4e6ebe36 --- /dev/null +++ b/prebuilts/api/28.0/private/kernel.te @@ -0,0 +1,3 @@ +typeattribute kernel coredomain; + +domain_auto_trans(kernel, init_exec, init) diff --git a/prebuilts/api/28.0/private/keys.conf b/prebuilts/api/28.0/private/keys.conf new file mode 100644 index 000000000..7a307b5de --- /dev/null +++ b/prebuilts/api/28.0/private/keys.conf @@ -0,0 +1,25 @@ +# +# Maps an arbitrary tag [TAGNAME] with the string contents found in +# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and +# name it after the base file name of the pem file. +# +# Each tag (section) then allows one to specify any string found in +# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another +# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string. +# + +[@PLATFORM] +ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem + +[@MEDIA] +ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem + +[@SHARED] +ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem + +# Example of ALL TARGET_BUILD_VARIANTS +[@RELEASE] +ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem +USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem +USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem + diff --git a/prebuilts/api/28.0/private/keystore.te b/prebuilts/api/28.0/private/keystore.te new file mode 100644 index 000000000..7f71028ba --- /dev/null +++ b/prebuilts/api/28.0/private/keystore.te @@ -0,0 +1,19 @@ +typeattribute keystore coredomain; + +init_daemon_domain(keystore) + +# talk to keymaster +hal_client_domain(keystore, hal_keymaster) + +# talk to confirmationui +hal_client_domain(keystore, hal_confirmationui) + +# This is used for the ConfirmationUI async callback. +allow keystore platform_app:binder call; + +# Offer the Wifi Keystore HwBinder service +typeattribute keystore wifi_keystore_service_server; +add_hwservice(keystore, system_wifi_keystore_hwservice) + +# Allow to check whether security logging is enabled. +get_prop(keystore, device_logging_prop) diff --git a/prebuilts/api/28.0/private/lmkd.te b/prebuilts/api/28.0/private/lmkd.te new file mode 100644 index 000000000..a07ce879c --- /dev/null +++ b/prebuilts/api/28.0/private/lmkd.te @@ -0,0 +1,3 @@ +typeattribute lmkd coredomain; + +init_daemon_domain(lmkd) diff --git a/prebuilts/api/28.0/private/logd.te b/prebuilts/api/28.0/private/logd.te new file mode 100644 index 000000000..4338e4005 --- /dev/null +++ b/prebuilts/api/28.0/private/logd.te @@ -0,0 +1,39 @@ +typeattribute logd coredomain; + +init_daemon_domain(logd) + +# logd is not allowed to write anywhere other than /data/misc/logd, and then +# only on userdebug or eng builds +# TODO: deal with tmpfs_domain pub/priv split properly +neverallow logd { + file_type + -logd_tmpfs + -runtime_event_log_tags_file + userdebug_or_eng(`-coredump_file -misc_logd_file') +}:file { create write append }; + +# protect the event-log-tags file +neverallow { + domain + -appdomain # covered below + -bootstat + -dumpstate + -init + -logd + userdebug_or_eng(`-logpersist') + -servicemanager + -system_server + -surfaceflinger + -zygote +} runtime_event_log_tags_file:file no_rw_file_perms; + +neverallow { + appdomain + -bluetooth + -platform_app + -priv_app + -radio + -shell + userdebug_or_eng(`-su') + -system_app +} runtime_event_log_tags_file:file no_rw_file_perms; diff --git a/prebuilts/api/28.0/private/logpersist.te b/prebuilts/api/28.0/private/logpersist.te new file mode 100644 index 000000000..8cdbd2dd0 --- /dev/null +++ b/prebuilts/api/28.0/private/logpersist.te @@ -0,0 +1,24 @@ +typeattribute logpersist coredomain; + +# android debug log storage in logpersist domains (eng and userdebug only) +userdebug_or_eng(` + + r_dir_file(logpersist, cgroup) + + allow logpersist misc_logd_file:file create_file_perms; + allow logpersist misc_logd_file:dir rw_dir_perms; + + allow logpersist self:global_capability_class_set sys_nice; + allow logpersist pstorefs:dir search; + allow logpersist pstorefs:file r_file_perms; + + control_logd(logpersist) + unix_socket_connect(logpersist, logdr, logd) + read_runtime_log_tags(logpersist) + +') + +# logpersist is allowed to write to /data/misc/log for userdebug and eng builds +neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append }; +neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms; +neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write }; diff --git a/prebuilts/api/28.0/private/mac_permissions.xml b/prebuilts/api/28.0/private/mac_permissions.xml new file mode 100644 index 000000000..1fcd2a409 --- /dev/null +++ b/prebuilts/api/28.0/private/mac_permissions.xml @@ -0,0 +1,59 @@ + + + + + + + + + + + + + + + + diff --git a/prebuilts/api/28.0/private/mdnsd.te b/prebuilts/api/28.0/private/mdnsd.te new file mode 100644 index 000000000..96259e298 --- /dev/null +++ b/prebuilts/api/28.0/private/mdnsd.te @@ -0,0 +1,12 @@ +# mdns daemon + +typeattribute mdnsd coredomain; +typeattribute mdnsd mlstrustedsubject; + +type mdnsd_exec, exec_type, file_type; +init_daemon_domain(mdnsd) + +net_domain(mdnsd) + +# Read from /proc/net +r_dir_file(mdnsd, proc_net) diff --git a/prebuilts/api/28.0/private/mediadrmserver.te b/prebuilts/api/28.0/private/mediadrmserver.te new file mode 100644 index 000000000..4e511a819 --- /dev/null +++ b/prebuilts/api/28.0/private/mediadrmserver.te @@ -0,0 +1,8 @@ +typeattribute mediadrmserver coredomain; + +init_daemon_domain(mediadrmserver) + +# allocate and use graphic buffers +hal_client_domain(mediadrmserver, hal_graphics_allocator) +auditallow mediadrmserver hal_graphics_allocator_server:binder call; + diff --git a/prebuilts/api/28.0/private/mediaextractor.te b/prebuilts/api/28.0/private/mediaextractor.te new file mode 100644 index 000000000..c1a85219c --- /dev/null +++ b/prebuilts/api/28.0/private/mediaextractor.te @@ -0,0 +1,3 @@ +typeattribute mediaextractor coredomain; + +init_daemon_domain(mediaextractor) diff --git a/prebuilts/api/28.0/private/mediametrics.te b/prebuilts/api/28.0/private/mediametrics.te new file mode 100644 index 000000000..f8b2fa5cd --- /dev/null +++ b/prebuilts/api/28.0/private/mediametrics.te @@ -0,0 +1,3 @@ +typeattribute mediametrics coredomain; + +init_daemon_domain(mediametrics) diff --git a/prebuilts/api/28.0/private/mediaprovider.te b/prebuilts/api/28.0/private/mediaprovider.te new file mode 100644 index 000000000..fc6ec5a1c --- /dev/null +++ b/prebuilts/api/28.0/private/mediaprovider.te @@ -0,0 +1,41 @@ +### +### A domain for android.process.media, which contains both +### MediaProvider and DownloadProvider and associated services. +### + +typeattribute mediaprovider coredomain; +app_domain(mediaprovider) + +# DownloadProvider accesses the network. +net_domain(mediaprovider) + +# DownloadProvider uses /cache. +allow mediaprovider cache_file:dir create_dir_perms; +allow mediaprovider cache_file:file create_file_perms; +# /cache is a symlink to /data/cache on some devices. Allow reading the link. +allow mediaprovider cache_file:lnk_file r_file_perms; +# mediaprovider searches through /cache looking for orphans +# Ignore denials to /cache/recovery and /cache/backup. +dontaudit mediaprovider cache_private_backup_file:dir getattr; +dontaudit mediaprovider cache_recovery_file:dir getattr; + + +allow mediaprovider app_api_service:service_manager find; +allow mediaprovider audioserver_service:service_manager find; +allow mediaprovider drmserver_service:service_manager find; +allow mediaprovider mediaextractor_service:service_manager find; +allow mediaprovider mediaserver_service:service_manager find; + +# Allow MediaProvider to read/write cached ringtones (opened by system). +allow mediaprovider ringtone_file:file { getattr read write }; + +# MtpServer uses /dev/mtp_usb +allow mediaprovider mtp_device:chr_file rw_file_perms; + +# MtpServer uses /dev/usb-ffs/mtp +allow mediaprovider functionfs:dir search; +allow mediaprovider functionfs:file rw_file_perms; + +# MtpServer sets sys.usb.ffs.mtp.ready +set_prop(mediaprovider, ffs_prop) +set_prop(mediaprovider, exported_ffs_prop) diff --git a/prebuilts/api/28.0/private/mediaserver.te b/prebuilts/api/28.0/private/mediaserver.te new file mode 100644 index 000000000..a5fa9e10e --- /dev/null +++ b/prebuilts/api/28.0/private/mediaserver.te @@ -0,0 +1,11 @@ +typeattribute mediaserver coredomain; + +init_daemon_domain(mediaserver) + +# allocate and use graphic buffers +hal_client_domain(mediaserver, hal_graphics_allocator) + +# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client +# of OMX HAL. +allow mediaserver hal_codec2_hwservice:hwservice_manager find; +allow mediaserver hal_omx_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/private/mls b/prebuilts/api/28.0/private/mls new file mode 100644 index 000000000..3b8ee3f47 --- /dev/null +++ b/prebuilts/api/28.0/private/mls @@ -0,0 +1,100 @@ +################################################# +# MLS policy constraints +# + +# +# Process constraints +# + +# Process transition: Require equivalence unless the subject is trusted. +mlsconstrain process { transition dyntransition } + ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); + +# Process read operations: No read up unless trusted. +mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } + (l1 dom l2 or t1 == mlstrustedsubject); + +# Process write operations: Require equivalence unless trusted. +mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } + (l1 eq l2 or t1 == mlstrustedsubject); + +# +# Socket constraints +# + +# Create/relabel operations: Subject must be equivalent to object unless +# the subject is trusted. Sockets inherit the range of their creator. +mlsconstrain socket_class_set { create relabelfrom relabelto } + ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); + +# Datagram send: Sender must be equivalent to the receiver unless one of them +# is trusted. +mlsconstrain unix_dgram_socket { sendto } + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# Stream connect: Client must be equivalent to server unless one of them +# is trusted. +mlsconstrain unix_stream_socket { connectto } + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# +# Directory/file constraints +# + +# Create/relabel operations: Subject must be equivalent to object unless +# the subject is trusted. Also, files should always be single-level. +# Do NOT exempt mlstrustedobject types from this constraint. +mlsconstrain dir_file_class_set { create relabelfrom relabelto } + (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); + +# +# Constraints for app data files only. +# + +# Only constrain open, not read/write. +# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. +# Subject must dominate object unless the subject is trusted. +mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } + (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject); +mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename } + (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject); + +# +# Constraints for file types other than app data files. +# + +# Read operations: Subject must dominate object unless the subject +# or the object is trusted. +mlsconstrain dir { read getattr search } + (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } + (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +# Write operations: Subject must be equivalent to the object unless the +# subject or the object is trusted. +mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } + (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } + (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +# Special case for FIFOs. +# These can be unnamed pipes, in which case they will be labeled with the +# creating process' label. Thus we also have an exemption when the "object" +# is a domain type, so that processes can communicate via unnamed pipes +# passed by binder or local socket IPC. +mlsconstrain fifo_file { read getattr } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); + +mlsconstrain fifo_file { write setattr append unlink link rename } + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); + +# +# Binder IPC constraints +# +# Presently commented out, as apps are expected to call one another. +# This would only make sense if apps were assigned categories +# based on allowable communications rather than per-app categories. +#mlsconstrain binder call +# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); diff --git a/prebuilts/api/28.0/private/mls_decl b/prebuilts/api/28.0/private/mls_decl new file mode 100644 index 000000000..dd53bea7e --- /dev/null +++ b/prebuilts/api/28.0/private/mls_decl @@ -0,0 +1,10 @@ +######################################### +# MLS declarations +# + +# Generate the desired number of sensitivities and categories. +gen_sens(mls_num_sens) +gen_cats(mls_num_cats) + +# Generate level definitions for each sensitivity and category. +gen_levels(mls_num_sens,mls_num_cats) diff --git a/prebuilts/api/28.0/private/mls_macros b/prebuilts/api/28.0/private/mls_macros new file mode 100644 index 000000000..83e05425b --- /dev/null +++ b/prebuilts/api/28.0/private/mls_macros @@ -0,0 +1,54 @@ +######################################## +# +# gen_cats(N) +# +# declares categores c0 to c(N-1) +# +define(`decl_cats',`dnl +category c$1; +ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl +') + +define(`gen_cats',`decl_cats(0,decr($1))') + +######################################## +# +# gen_sens(N) +# +# declares sensitivites s0 to s(N-1) with dominance +# in increasing numeric order with s0 lowest, s(N-1) highest +# +define(`decl_sens',`dnl +sensitivity s$1; +ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl +') + +define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')') + +define(`gen_sens',` +# Each sensitivity has a name and zero or more aliases. +decl_sens(0,decr($1)) + +# Define the ordering of the sensitivity levels (least to greatest) +dominance { gen_dominance(0,decr($1)) } +') + +######################################## +# +# gen_levels(N,M) +# +# levels from s0 to (N-1) with categories c0 to (M-1) +# +define(`decl_levels',`dnl +level s$1:c0.c$3; +ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl +') + +define(`gen_levels',`decl_levels(0,decr($1),decr($2))') + +######################################## +# +# Basic level names for system low and high +# +define(`mls_systemlow',`s0') +define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)') diff --git a/prebuilts/api/28.0/private/modprobe.te b/prebuilts/api/28.0/private/modprobe.te new file mode 100644 index 000000000..98586756f --- /dev/null +++ b/prebuilts/api/28.0/private/modprobe.te @@ -0,0 +1 @@ +typeattribute modprobe coredomain; diff --git a/prebuilts/api/28.0/private/mtp.te b/prebuilts/api/28.0/private/mtp.te new file mode 100644 index 000000000..732e111ed --- /dev/null +++ b/prebuilts/api/28.0/private/mtp.te @@ -0,0 +1,3 @@ +typeattribute mtp coredomain; + +init_daemon_domain(mtp) diff --git a/prebuilts/api/28.0/private/net.te b/prebuilts/api/28.0/private/net.te new file mode 100644 index 000000000..f16daf94c --- /dev/null +++ b/prebuilts/api/28.0/private/net.te @@ -0,0 +1,24 @@ +### +### Domain with network access +### + +# Use network sockets. +allow netdomain self:tcp_socket create_stream_socket_perms; +allow netdomain self:{ udp_socket rawip_socket } create_socket_perms; +# Connect to ports. +allow netdomain port_type:tcp_socket name_connect; +# Bind to ports. +allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind; +allow {netdomain -ephemeral_app} port_type:udp_socket name_bind; +allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind; +# See changes to the routing table. +allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read }; + +# Talks to netd via dnsproxyd socket. +unix_socket_connect(netdomain, dnsproxyd, netd) + +# Talks to netd via fwmarkd socket. +unix_socket_connect(netdomain, fwmarkd, netd) + +# Connect to mdnsd via mdnsd socket. +unix_socket_connect(netdomain, mdnsd, mdnsd) diff --git a/prebuilts/api/28.0/private/netd.te b/prebuilts/api/28.0/private/netd.te new file mode 100644 index 000000000..281105d04 --- /dev/null +++ b/prebuilts/api/28.0/private/netd.te @@ -0,0 +1,15 @@ +typeattribute netd coredomain; + +init_daemon_domain(netd) + +# Allow netd to spawn dnsmasq in it's own domain +domain_auto_trans(netd, dnsmasq_exec, dnsmasq) + +# Allow netd to start clatd in its own domain +domain_auto_trans(netd, clatd_exec, clatd) + +# Allow netd to start bpfloader_exec in its own domain +domain_auto_trans(netd, bpfloader_exec, bpfloader) + +# give netd permission to setup iptables rule with xt_bpf +allow netd bpfloader:bpf prog_run; diff --git a/prebuilts/api/28.0/private/netutils_wrapper.te b/prebuilts/api/28.0/private/netutils_wrapper.te new file mode 100644 index 000000000..ea58814e1 --- /dev/null +++ b/prebuilts/api/28.0/private/netutils_wrapper.te @@ -0,0 +1,41 @@ +typeattribute netutils_wrapper coredomain; + +r_dir_file(netutils_wrapper, system_file); + +# For netutils (ip, iptables, tc) +allow netutils_wrapper self:global_capability_class_set net_raw; + +allow netutils_wrapper system_file:file { execute execute_no_trans }; +allow netutils_wrapper proc_net:file { open read getattr }; +allow netutils_wrapper self:rawip_socket create_socket_perms; +allow netutils_wrapper self:udp_socket create_socket_perms; +allow netutils_wrapper self:global_capability_class_set net_admin; +# ip utils need everything but ioctl +allow netutils_wrapper self:netlink_route_socket ~ioctl; +allow netutils_wrapper self:netlink_xfrm_socket ~ioctl; + +# For netutils (ndc) to be able to talk to netd +allow netutils_wrapper netd_socket:sock_file { open getattr read write append }; +allow netutils_wrapper netd:unix_stream_socket { read getattr connectto }; + +# For vendor code that update the iptables rules at runtime. They need to reload +# the whole chain including the xt_bpf rules. They need to access to the pinned +# program when reloading the rule. +allow netutils_wrapper fs_bpf:dir search; +allow netutils_wrapper fs_bpf:file { read write }; +allow netutils_wrapper bpfloader:bpf prog_run; + +# For /data/misc/net access to ndc and ip +r_dir_file(netutils_wrapper, net_data_file) + +domain_auto_trans({ + domain + -coredomain + -appdomain +}, netutils_wrapper_exec, netutils_wrapper) + +# suppress spurious denials +dontaudit netutils_wrapper self:global_capability_class_set sys_resource; + +# netutils wrapper may only use the following capabilities. +neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw }; diff --git a/prebuilts/api/28.0/private/nfc.te b/prebuilts/api/28.0/private/nfc.te new file mode 100644 index 000000000..5e8567291 --- /dev/null +++ b/prebuilts/api/28.0/private/nfc.te @@ -0,0 +1,34 @@ +# nfc subsystem +typeattribute nfc coredomain; +app_domain(nfc) +net_domain(nfc) + +binder_service(nfc) +add_service(nfc, nfc_service) + +hal_client_domain(nfc, hal_nfc) + +# Data file accesses. +allow nfc nfc_data_file:dir create_dir_perms; +allow nfc nfc_data_file:notdevfile_class_set create_file_perms; + +# SoundPool loading and playback +allow nfc audioserver_service:service_manager find; +allow nfc drmserver_service:service_manager find; +allow nfc mediacodec_service:service_manager find; +allow nfc mediametrics_service:service_manager find; +allow nfc mediaextractor_service:service_manager find; +allow nfc mediaserver_service:service_manager find; + +allow nfc radio_service:service_manager find; +allow nfc app_api_service:service_manager find; +allow nfc system_api_service:service_manager find; +allow nfc vr_manager_service:service_manager find; +allow nfc secure_element_service:service_manager find; + +set_prop(nfc, nfc_prop); + +# already open bugreport file descriptors may be shared with +# the nfc process, from a file in +# /data/data/com.android.shell/files/bugreports/bugreport-*. +allow nfc shell_data_file:file read; diff --git a/prebuilts/api/28.0/private/otapreopt_chroot.te b/prebuilts/api/28.0/private/otapreopt_chroot.te new file mode 100644 index 000000000..1f69931c8 --- /dev/null +++ b/prebuilts/api/28.0/private/otapreopt_chroot.te @@ -0,0 +1,4 @@ +typeattribute otapreopt_chroot coredomain; + +# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox. +domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt) diff --git a/prebuilts/api/28.0/private/otapreopt_slot.te b/prebuilts/api/28.0/private/otapreopt_slot.te new file mode 100644 index 000000000..98b93d406 --- /dev/null +++ b/prebuilts/api/28.0/private/otapreopt_slot.te @@ -0,0 +1,5 @@ +typeattribute otapreopt_slot coredomain; + +# Technically not a daemon but we do want the transition from init domain to +# cppreopts to occur. +init_daemon_domain(otapreopt_slot) diff --git a/prebuilts/api/28.0/private/perfetto.te b/prebuilts/api/28.0/private/perfetto.te new file mode 100644 index 000000000..9ac5d8761 --- /dev/null +++ b/prebuilts/api/28.0/private/perfetto.te @@ -0,0 +1,68 @@ +# Perfetto command-line client. Can be used only from the domains that are +# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto). +# This command line client accesses the privileged socket of the traced +# daemon. + +type perfetto, domain, coredomain; +type perfetto_exec, exec_type, file_type; + +tmpfs_domain(perfetto); + +# Allow to access traced's privileged consumer socket. +unix_socket_connect(perfetto, traced_consumer, traced) + +# Allow to write and unlink traces into /data/misc/perfetto-traces. +allow perfetto perfetto_traces_data_file:dir rw_dir_perms; +allow perfetto perfetto_traces_data_file:file create_file_perms; + +# Allow to access binder to pass the traces to Dropbox. +binder_use(perfetto) +binder_call(perfetto, system_server) +allow perfetto dropbox_service:service_manager find; + +# Allow statsd and shell to pipe the trace config to perfetto on stdin and to +# print out on stdout/stderr. +allow perfetto statsd:fd use; +allow perfetto statsd:fifo_file { getattr read write }; +allow perfetto shell:fd use; +allow perfetto shell:fifo_file { getattr read write }; + +# Allow to communicate use, read and write over the adb connection. +allow perfetto adbd:fd use; +allow perfetto adbd:unix_stream_socket { read write }; + +# allow adbd to reap perfetto +allow perfetto adbd:process { sigchld }; + +# Allow to access /dev/pts when launched in an adb shell. +allow perfetto devpts:chr_file rw_file_perms; + +### +### Neverallow rules +### +### perfetto should NEVER do any of this + +# Disallow mapping executable memory (execstack and exec are already disallowed +# globally in domain.te). +neverallow perfetto self:process execmem; + +# Block device access. +neverallow perfetto dev_type:blk_file { read write }; + +# ptrace any other process +neverallow perfetto domain:process ptrace; + +# Disallows access to other /data files. +neverallow perfetto { + data_file_type + -system_data_file + # TODO(b/72998741) Remove exemption. Further restricted in a subsequent + # neverallow. Currently only getattr and search are allowed. + -vendor_data_file + -zoneinfo_data_file + -perfetto_traces_data_file +}:dir *; +neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search }; +neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms; +neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *; +neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write; diff --git a/prebuilts/api/28.0/private/performanced.te b/prebuilts/api/28.0/private/performanced.te new file mode 100644 index 000000000..792826e02 --- /dev/null +++ b/prebuilts/api/28.0/private/performanced.te @@ -0,0 +1,3 @@ +typeattribute performanced coredomain; + +init_daemon_domain(performanced) diff --git a/prebuilts/api/28.0/private/perfprofd.te b/prebuilts/api/28.0/private/perfprofd.te new file mode 100644 index 000000000..4da541032 --- /dev/null +++ b/prebuilts/api/28.0/private/perfprofd.te @@ -0,0 +1,8 @@ +userdebug_or_eng(` + typeattribute perfprofd coredomain; + init_daemon_domain(perfprofd) +') + +# Only servicemanager, statsd, su and systemserver can communicate. +neverallow { domain userdebug_or_eng(`-statsd') } perfprofd:binder call; +neverallow perfprofd { domain userdebug_or_eng(`-servicemanager -statsd -su -system_server') }:binder call; diff --git a/prebuilts/api/28.0/private/platform_app.te b/prebuilts/api/28.0/private/platform_app.te new file mode 100644 index 000000000..80b20e145 --- /dev/null +++ b/prebuilts/api/28.0/private/platform_app.te @@ -0,0 +1,82 @@ +### +### Apps signed with the platform key. +### + +typeattribute platform_app coredomain; + +app_domain(platform_app) + +# Access the network. +net_domain(platform_app) +# Access bluetooth. +bluetooth_domain(platform_app) +# Read from /data/local/tmp or /data/data/com.android.shell. +allow platform_app shell_data_file:dir search; +allow platform_app shell_data_file:file { open getattr read }; +allow platform_app icon_file:file { open getattr read }; +# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files +# created by system server. +allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms; +allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms; +allow platform_app apk_private_data_file:dir search; +# ASEC +allow platform_app asec_apk_file:dir create_dir_perms; +allow platform_app asec_apk_file:file create_file_perms; + +# Access to /data/media. +allow platform_app media_rw_data_file:dir create_dir_perms; +allow platform_app media_rw_data_file:file create_file_perms; + +# Write to /cache. +allow platform_app cache_file:dir create_dir_perms; +allow platform_app cache_file:file create_file_perms; + +# Direct access to vold-mounted storage under /mnt/media_rw +# This is a performance optimization that allows platform apps to bypass the FUSE layer +allow platform_app mnt_media_rw_file:dir r_dir_perms; +allow platform_app vfat:dir create_dir_perms; +allow platform_app vfat:file create_file_perms; + +# com.android.systemui +allow platform_app rootfs:dir getattr; + +# com.android.captiveportallogin reads /proc/vmstat +allow platform_app { + proc_vmstat +}:file r_file_perms; + +allow platform_app audioserver_service:service_manager find; +allow platform_app cameraserver_service:service_manager find; +allow platform_app drmserver_service:service_manager find; +allow platform_app mediaserver_service:service_manager find; +allow platform_app mediametrics_service:service_manager find; +allow platform_app mediaextractor_service:service_manager find; +allow platform_app mediacodec_service:service_manager find; +allow platform_app mediadrmserver_service:service_manager find; +allow platform_app persistent_data_block_service:service_manager find; +allow platform_app radio_service:service_manager find; +allow platform_app thermal_service:service_manager find; +allow platform_app timezone_service:service_manager find; +allow platform_app app_api_service:service_manager find; +allow platform_app system_api_service:service_manager find; +allow platform_app vr_manager_service:service_manager find; + +# Access to /data/preloads +allow platform_app preloads_data_file:file r_file_perms; +allow platform_app preloads_data_file:dir r_dir_perms; +allow platform_app preloads_media_file:file r_file_perms; +allow platform_app preloads_media_file:dir r_dir_perms; + +read_runtime_log_tags(platform_app) + +# allow platform apps to use UDP sockets provided by the system server but not +# modify them other than to connect +allow platform_app system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +### +### Neverallow rules +### + +# app domains which access /dev/fuse should not run as platform_app +neverallow platform_app fuse_device:chr_file *; diff --git a/prebuilts/api/28.0/private/policy_capabilities b/prebuilts/api/28.0/private/policy_capabilities new file mode 100644 index 000000000..ab55c15e3 --- /dev/null +++ b/prebuilts/api/28.0/private/policy_capabilities @@ -0,0 +1,13 @@ +# Enable new networking controls. +policycap network_peer_controls; + +# Enable open permission check. +policycap open_perms; + +# Enable separate security classes for +# all network address families previously +# mapped to the socket class and for +# ICMP and SCTP sockets previously mapped +# to the rawip_socket class. +policycap extended_socket_class; + diff --git a/prebuilts/api/28.0/private/port_contexts b/prebuilts/api/28.0/private/port_contexts new file mode 100644 index 000000000..b473c0c9b --- /dev/null +++ b/prebuilts/api/28.0/private/port_contexts @@ -0,0 +1,3 @@ +# portcon statements go here, e.g. +# portcon tcp 80 u:object_r:http_port:s0 + diff --git a/prebuilts/api/28.0/private/postinstall.te b/prebuilts/api/28.0/private/postinstall.te new file mode 100644 index 000000000..363e362dd --- /dev/null +++ b/prebuilts/api/28.0/private/postinstall.te @@ -0,0 +1,3 @@ +typeattribute postinstall coredomain; + +domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot) diff --git a/prebuilts/api/28.0/private/postinstall_dexopt.te b/prebuilts/api/28.0/private/postinstall_dexopt.te new file mode 100644 index 000000000..ff5fe8735 --- /dev/null +++ b/prebuilts/api/28.0/private/postinstall_dexopt.te @@ -0,0 +1,5 @@ +typeattribute postinstall_dexopt coredomain; + +# Run dex2oat/patchoat in its own sandbox. +# We have to manually transition, as we don't have an entrypoint. +domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat) diff --git a/prebuilts/api/28.0/private/ppp.te b/prebuilts/api/28.0/private/ppp.te new file mode 100644 index 000000000..968b221b6 --- /dev/null +++ b/prebuilts/api/28.0/private/ppp.te @@ -0,0 +1,3 @@ +typeattribute ppp coredomain; + +domain_auto_trans(mtp, ppp_exec, ppp) diff --git a/prebuilts/api/28.0/private/preopt2cachename.te b/prebuilts/api/28.0/private/preopt2cachename.te new file mode 100644 index 000000000..d10f76766 --- /dev/null +++ b/prebuilts/api/28.0/private/preopt2cachename.te @@ -0,0 +1 @@ +typeattribute preopt2cachename coredomain; diff --git a/prebuilts/api/28.0/private/priv_app.te b/prebuilts/api/28.0/private/priv_app.te new file mode 100644 index 000000000..99397a5bc --- /dev/null +++ b/prebuilts/api/28.0/private/priv_app.te @@ -0,0 +1,205 @@ +### +### A domain for further sandboxing privileged apps. +### + +typeattribute priv_app coredomain; +app_domain(priv_app) + +# Access the network. +net_domain(priv_app) +# Access bluetooth. +bluetooth_domain(priv_app) + +# Allow the allocation and use of ptys +# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm +create_pty(priv_app) + +# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7) +allow priv_app self:process ptrace; + +# Some apps ship with shared libraries that they write out +# to their sandbox directory and then dlopen(). +allow priv_app app_data_file:file execute; + +allow priv_app app_api_service:service_manager find; +allow priv_app audioserver_service:service_manager find; +allow priv_app cameraserver_service:service_manager find; +allow priv_app drmserver_service:service_manager find; +allow priv_app mediacodec_service:service_manager find; +allow priv_app mediadrmserver_service:service_manager find; +allow priv_app mediaextractor_service:service_manager find; +allow priv_app mediametrics_service:service_manager find; +allow priv_app mediaserver_service:service_manager find; +allow priv_app network_watchlist_service:service_manager find; +allow priv_app nfc_service:service_manager find; +allow priv_app oem_lock_service:service_manager find; +allow priv_app persistent_data_block_service:service_manager find; +allow priv_app radio_service:service_manager find; +allow priv_app recovery_service:service_manager find; +allow priv_app stats_service:service_manager find; +allow priv_app system_api_service:service_manager find; + +# Write to /cache. +allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; +allow priv_app { cache_file cache_recovery_file }:file create_file_perms; +# /cache is a symlink to /data/cache on some devices. Allow reading the link. +allow priv_app cache_file:lnk_file r_file_perms; + +# Write to /data/ota_package for OTA packages. +allow priv_app ota_package_file:dir rw_dir_perms; +allow priv_app ota_package_file:file create_file_perms; + +# Access to /data/media. +allow priv_app media_rw_data_file:dir create_dir_perms; +allow priv_app media_rw_data_file:file create_file_perms; + +# Used by Finsky / Android "Verify Apps" functionality when +# running "adb install foo.apk". +allow priv_app shell_data_file:file r_file_perms; +allow priv_app shell_data_file:dir r_dir_perms; + +# Allow traceur to pass file descriptors through a content provider to betterbug +allow priv_app trace_data_file:file { getattr read }; + +# Allow verifier to access staged apks. +allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; +allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; + +# b/18504118: Allow reads from /data/anr/traces.txt +allow priv_app anr_data_file:file r_file_perms; + +# Allow GMS core to access perfprofd output, which is stored +# in /data/misc/perfprofd/. GMS core will need to list all +# data stored in that directory to process them one by one. +userdebug_or_eng(` + allow priv_app perfprofd_data_file:file r_file_perms; + allow priv_app perfprofd_data_file:dir r_dir_perms; +') + +# For AppFuse. +allow priv_app vold:fd use; +allow priv_app fuse_device:chr_file { read write }; + +# /proc access +allow priv_app { + proc_vmstat +}:file r_file_perms; + +allow priv_app sysfs_type:dir search; +# Read access to /sys/class/net/wlan*/address +r_dir_file(priv_app, sysfs_net) +# Read access to /sys/block/zram*/mm_stat +r_dir_file(priv_app, sysfs_zram) + +r_dir_file(priv_app, rootfs) + +# Allow GMS core to open kernel config for OTA matching through libvintf +allow priv_app config_gz:file { open read getattr }; + +# access the mac address +allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR; + +# Allow GMS core to communicate with update_engine for A/B update. +binder_call(priv_app, update_engine) +allow priv_app update_engine_service:service_manager find; + +# Allow GMS core to communicate with dumpsys storaged. +binder_call(priv_app, storaged) +allow priv_app storaged_service:service_manager find; + +# Allow GMS core to access system_update_service (e.g. to publish pending +# system update info). +allow priv_app system_update_service:service_manager find; + +# Allow GMS core to communicate with statsd. +binder_call(priv_app, statsd) + +# Allow Phone to read/write cached ringtones (opened by system). +allow priv_app ringtone_file:file { getattr read write }; + +# Access to /data/preloads +allow priv_app preloads_data_file:file r_file_perms; +allow priv_app preloads_data_file:dir r_dir_perms; +allow priv_app preloads_media_file:file r_file_perms; +allow priv_app preloads_media_file:dir r_dir_perms; + +# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs +allow priv_app keystore:keystore_key gen_unique_id; + +# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check +allow priv_app selinuxfs:file r_file_perms; + +read_runtime_log_tags(priv_app) + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +allow priv_app traced:fd use; +allow priv_app traced_tmpfs:file { read write getattr map }; +unix_socket_connect(priv_app, traced_producer, traced) + +# suppress denials for non-API accesses. +dontaudit priv_app exec_type:file getattr; +dontaudit priv_app device:dir read; +dontaudit priv_app net_dns_prop:file read; +dontaudit priv_app proc:file read; +dontaudit priv_app proc_interrupts:file read; +dontaudit priv_app proc_modules:file read; +dontaudit priv_app proc_stat:file read; +dontaudit priv_app proc_version:file read; +dontaudit priv_app sysfs:dir read; +dontaudit priv_app sysfs_android_usb:file read; +dontaudit priv_app wifi_prop:file read; +dontaudit priv_app { wifi_prop exported_wifi_prop }:file read; + +# allow privileged apps to use UDP sockets provided by the system server but not +# modify them other than to connect +allow priv_app system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +### +### neverallow rules +### + +# Receive or send uevent messages. +neverallow priv_app domain:netlink_kobject_uevent_socket *; + +# Receive or send generic netlink messages +neverallow priv_app domain:netlink_socket *; + +# Too much leaky information in debugfs. It's a security +# best practice to ensure these files aren't readable. +neverallow priv_app debugfs:file read; + +# Do not allow privileged apps to register services. +# Only trusted components of Android should be registering +# services. +neverallow priv_app service_manager_type:service_manager add; + +# Do not allow privileged apps to connect to the property service +# or set properties. b/10243159 +neverallow priv_app property_socket:sock_file write; +neverallow priv_app init:unix_stream_socket connectto; +neverallow priv_app property_type:property_service set; + +# Do not allow priv_app to be assigned mlstrustedsubject. +# This would undermine the per-user isolation model being +# enforced via levelFrom=user in seapp_contexts and the mls +# constraints. As there is no direct way to specify a neverallow +# on attribute assignment, this relies on the fact that fork +# permission only makes sense within a domain (hence should +# never be granted to any other domain within mlstrustedsubject) +# and priv_app is allowed fork permission to itself. +neverallow priv_app mlstrustedsubject:process fork; + +# Do not allow priv_app to hard link to any files. +# In particular, if priv_app links to other app data +# files, installd will not be able to guarantee the deletion +# of the linked to file. Hard links also contribute to security +# bugs, so we want to ensure priv_app never has this +# capability. +neverallow priv_app file_type:file link; + +# priv apps should not be able to open trace data files, they should depend +# upon traceur to pass a file descriptor which they can then read +neverallow priv_app trace_data_file:dir *; +neverallow priv_app trace_data_file:file { no_w_file_perms open }; diff --git a/prebuilts/api/28.0/private/profman.te b/prebuilts/api/28.0/private/profman.te new file mode 100644 index 000000000..f61d05efe --- /dev/null +++ b/prebuilts/api/28.0/private/profman.te @@ -0,0 +1 @@ +typeattribute profman coredomain; diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts new file mode 100644 index 000000000..ecde9d3ea --- /dev/null +++ b/prebuilts/api/28.0/private/property_contexts @@ -0,0 +1,134 @@ +########################## +# property service keys +# +# +net.rmnet u:object_r:net_radio_prop:s0 +net.gprs u:object_r:net_radio_prop:s0 +net.ppp u:object_r:net_radio_prop:s0 +net.qmi u:object_r:net_radio_prop:s0 +net.lte u:object_r:net_radio_prop:s0 +net.cdma u:object_r:net_radio_prop:s0 +net.dns u:object_r:net_dns_prop:s0 +sys.usb.config u:object_r:system_radio_prop:s0 +ril. u:object_r:radio_prop:s0 +ro.ril. u:object_r:radio_prop:s0 +gsm. u:object_r:radio_prop:s0 +persist.radio u:object_r:radio_prop:s0 + +net. u:object_r:system_prop:s0 +dev. u:object_r:system_prop:s0 +ro.runtime. u:object_r:system_prop:s0 +ro.runtime.firstboot u:object_r:firstboot_prop:s0 +hw. u:object_r:system_prop:s0 +ro.hw. u:object_r:system_prop:s0 +sys. u:object_r:system_prop:s0 +sys.cppreopt u:object_r:cppreopt_prop:s0 +sys.powerctl u:object_r:powerctl_prop:s0 +sys.usb.ffs. u:object_r:ffs_prop:s0 +service. u:object_r:system_prop:s0 +dhcp. u:object_r:dhcp_prop:s0 +dhcp.bt-pan.result u:object_r:pan_result_prop:s0 +bluetooth. u:object_r:bluetooth_prop:s0 + +debug. u:object_r:debug_prop:s0 +debug.db. u:object_r:debuggerd_prop:s0 +dumpstate. u:object_r:dumpstate_prop:s0 +dumpstate.options u:object_r:dumpstate_options_prop:s0 +log. u:object_r:log_prop:s0 +log.tag u:object_r:log_tag_prop:s0 +log.tag.WifiHAL u:object_r:wifi_log_prop:s0 +security.perf_harden u:object_r:shell_prop:s0 +service.adb.root u:object_r:shell_prop:s0 +service.adb.tcp.port u:object_r:shell_prop:s0 + +persist.audio. u:object_r:audio_prop:s0 +persist.bluetooth. u:object_r:bluetooth_prop:s0 +persist.debug. u:object_r:persist_debug_prop:s0 +persist.logd. u:object_r:logd_prop:s0 +ro.logd. u:object_r:logd_prop:s0 +persist.logd.security u:object_r:device_logging_prop:s0 +persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0 +logd.logpersistd u:object_r:logpersistd_logging_prop:s0 +persist.log.tag u:object_r:log_tag_prop:s0 +persist.mmc. u:object_r:mmc_prop:s0 +persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0 +persist.sys. u:object_r:system_prop:s0 +persist.sys.safemode u:object_r:safemode_prop:s0 +ro.sys.safemode u:object_r:safemode_prop:s0 +persist.sys.audit_safemode u:object_r:safemode_prop:s0 +persist.service. u:object_r:system_prop:s0 +persist.service.bdroid. u:object_r:bluetooth_prop:s0 +persist.security. u:object_r:system_prop:s0 +persist.vendor.overlay. u:object_r:overlay_prop:s0 +ro.boot.vendor.overlay. u:object_r:overlay_prop:s0 +ro.boottime. u:object_r:boottime_prop:s0 +ro.serialno u:object_r:serialno_prop:s0 +ro.boot.btmacaddr u:object_r:bluetooth_prop:s0 +ro.boot.serialno u:object_r:serialno_prop:s0 +ro.bt. u:object_r:bluetooth_prop:s0 +ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0 +persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0 +sys.boot.reason u:object_r:system_boot_reason_prop:s0 +pm. u:object_r:pm_prop:s0 + +# Boolean property set by system server upon boot indicating +# if device owner is provisioned. +ro.device_owner u:object_r:device_logging_prop:s0 + +# selinux non-persistent properties +selinux.restorecon_recursive u:object_r:restorecon_prop:s0 + +# default property context +* u:object_r:default_prop:s0 + +# data partition encryption properties +vold. u:object_r:vold_prop:s0 +ro.crypto. u:object_r:vold_prop:s0 + +# ro.build.fingerprint is either set in /system/build.prop, or is +# set at runtime by system_server. +ro.build.fingerprint u:object_r:fingerprint_prop:s0 + +ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0 + +# ctl properties +ctl.bootanim u:object_r:ctl_bootanim_prop:s0 +ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0 +ctl.fuse_ u:object_r:ctl_fuse_prop:s0 +ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0 +ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0 +ctl.bugreport u:object_r:ctl_bugreport_prop:s0 +ctl.console u:object_r:ctl_console_prop:s0 +ctl. u:object_r:ctl_default_prop:s0 + +# NFC properties +nfc. u:object_r:nfc_prop:s0 + +# These properties are not normally set by processes other than init. +# They are only distinguished here for setting by qemu-props on the +# emulator/goldfish. +config. u:object_r:config_prop:s0 +ro.config. u:object_r:config_prop:s0 +dalvik. u:object_r:dalvik_prop:s0 +ro.dalvik. u:object_r:dalvik_prop:s0 + +# Shared between system server and wificond +wlan. u:object_r:wifi_prop:s0 + +# Lowpan properties +lowpan. u:object_r:lowpan_prop:s0 +ro.lowpan. u:object_r:lowpan_prop:s0 + +# hwservicemanager properties +hwservicemanager. u:object_r:hwservicemanager_prop:s0 + +# Common default properties for vendor and odm. +init.svc.odm. u:object_r:vendor_default_prop:s0 +init.svc.vendor. u:object_r:vendor_default_prop:s0 +ro.hardware. u:object_r:vendor_default_prop:s0 +ro.odm. u:object_r:vendor_default_prop:s0 +ro.vendor. u:object_r:vendor_default_prop:s0 +odm. u:object_r:vendor_default_prop:s0 +persist.odm. u:object_r:vendor_default_prop:s0 +persist.vendor. u:object_r:vendor_default_prop:s0 +vendor. u:object_r:vendor_default_prop:s0 diff --git a/prebuilts/api/28.0/private/racoon.te b/prebuilts/api/28.0/private/racoon.te new file mode 100644 index 000000000..42ea7c9e4 --- /dev/null +++ b/prebuilts/api/28.0/private/racoon.te @@ -0,0 +1,3 @@ +typeattribute racoon coredomain; + +init_daemon_domain(racoon) diff --git a/prebuilts/api/28.0/private/radio.te b/prebuilts/api/28.0/private/radio.te new file mode 100644 index 000000000..b4f539048 --- /dev/null +++ b/prebuilts/api/28.0/private/radio.te @@ -0,0 +1,5 @@ +typeattribute radio coredomain; + +app_domain(radio) + +read_runtime_log_tags(radio) diff --git a/prebuilts/api/28.0/private/recovery.te b/prebuilts/api/28.0/private/recovery.te new file mode 100644 index 000000000..2a7fdc7e1 --- /dev/null +++ b/prebuilts/api/28.0/private/recovery.te @@ -0,0 +1 @@ +typeattribute recovery coredomain; diff --git a/prebuilts/api/28.0/private/recovery_persist.te b/prebuilts/api/28.0/private/recovery_persist.te new file mode 100644 index 000000000..1fdd7583d --- /dev/null +++ b/prebuilts/api/28.0/private/recovery_persist.te @@ -0,0 +1,7 @@ +typeattribute recovery_persist coredomain; + +init_daemon_domain(recovery_persist) + +# recovery_persist is not allowed to write anywhere other than recovery_data_file +# TODO: deal with tmpfs_domain pub/priv split properly +neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write; diff --git a/prebuilts/api/28.0/private/recovery_refresh.te b/prebuilts/api/28.0/private/recovery_refresh.te new file mode 100644 index 000000000..327098dad --- /dev/null +++ b/prebuilts/api/28.0/private/recovery_refresh.te @@ -0,0 +1,7 @@ +typeattribute recovery_refresh coredomain; + +init_daemon_domain(recovery_refresh) + +# recovery_refresh is not allowed to write anywhere +# TODO: deal with tmpfs_domain pub/priv split properly +neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write; diff --git a/prebuilts/api/28.0/private/roles_decl b/prebuilts/api/28.0/private/roles_decl new file mode 100644 index 000000000..c84fcba0f --- /dev/null +++ b/prebuilts/api/28.0/private/roles_decl @@ -0,0 +1 @@ +role r; diff --git a/prebuilts/api/28.0/private/runas.te b/prebuilts/api/28.0/private/runas.te new file mode 100644 index 000000000..ef31aac34 --- /dev/null +++ b/prebuilts/api/28.0/private/runas.te @@ -0,0 +1,4 @@ +typeattribute runas coredomain; + +# ndk-gdb invokes adb shell run-as. +domain_auto_trans(shell, runas_exec, runas) diff --git a/prebuilts/api/28.0/private/sdcardd.te b/prebuilts/api/28.0/private/sdcardd.te new file mode 100644 index 000000000..126d64349 --- /dev/null +++ b/prebuilts/api/28.0/private/sdcardd.te @@ -0,0 +1,3 @@ +typeattribute sdcardd coredomain; + +type_transition sdcardd system_data_file:{ dir file } media_rw_data_file; diff --git a/prebuilts/api/28.0/private/seapp_contexts b/prebuilts/api/28.0/private/seapp_contexts new file mode 100644 index 000000000..c21d49f2a --- /dev/null +++ b/prebuilts/api/28.0/private/seapp_contexts @@ -0,0 +1,118 @@ +# Input selectors: +# isSystemServer (boolean) +# isEphemeralApp (boolean) +# isV2App (boolean) +# isOwner (boolean) +# user (string) +# seinfo (string) +# name (string) +# path (string) +# isPrivApp (boolean) +# minTargetSdkVersion (unsigned integer) +# isSystemServer=true can only be used once. +# An unspecified isSystemServer defaults to false. +# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral +# isV2App=true will match apps in the v2 app sandbox. +# isOwner=true will only match for the owner/primary user. +# isOwner=false will only match for secondary users. +# If unspecified, the entry can match either case. +# An unspecified string selector will match any value. +# A user string selector that ends in * will perform a prefix match. +# user=_app will match any regular app UID. +# user=_isolated will match any isolated service UID. +# isPrivApp=true will only match for applications preinstalled in +# /system/priv-app. +# minTargetSdkVersion will match applications with a targetSdkVersion +# greater than or equal to the specified value. If unspecified, +# it has a default value of 0. +# All specified input selectors in an entry must match (i.e. logical AND). +# Matching is case-insensitive. +# +# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()): +# (1) isSystemServer=true before isSystemServer=false. +# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean. +# (3) Specified isV2App= before unspecified isV2App= boolean. +# (4) Specified isOwner= before unspecified isOwner= boolean. +# (5) Specified user= string before unspecified user= string. +# (6) Fixed user= string before user= prefix (i.e. ending in *). +# (7) Longer user= prefix before shorter user= prefix. +# (8) Specified seinfo= string before unspecified seinfo= string. +# ':' character is reserved and may not be used. +# (9) Specified name= string before unspecified name= string. +# (10) Specified path= string before unspecified path= string. +# (11) Specified isPrivApp= before unspecified isPrivApp= boolean. +# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion= +# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified. +# +# Outputs: +# domain (string) +# type (string) +# levelFrom (string; one of none, all, app, or user) +# level (string) +# Only entries that specify domain= will be used for app process labeling. +# Only entries that specify type= will be used for app directory labeling. +# levelFrom=user is only supported for _app or _isolated UIDs. +# levelFrom=app or levelFrom=all is only supported for _app UIDs. +# level may be used to specify a fixed level for any UID. +# +# +# Neverallow Assertions +# Additional compile time assertion checks can be added as well. The assertion +# rules are lines beginning with the keyword neverallow. Full support for PCRE +# regular expressions exists on all input and output selectors. Neverallow +# rules are never output to the built seapp_contexts file. Like all keywords, +# neverallows are case-insensitive. A neverallow is asserted when all key value +# inputs are matched on a key value rule line. +# + +# only the system server can be in system_server domain +neverallow isSystemServer=false domain=system_server +neverallow isSystemServer="" domain=system_server + +# system domains should never be assigned outside of system uid +neverallow user=((?!system).)* domain=system_app +neverallow user=((?!system).)* type=system_app_data_file + +# anything with a non-known uid with a specified name should have a specified seinfo +neverallow user=_app name=.* seinfo="" +neverallow user=_app name=.* seinfo=default + +# neverallow shared relro to any other domain +# and neverallow any other uid into shared_relro +neverallow user=shared_relro domain=((?!shared_relro).)* +neverallow user=((?!shared_relro).)* domain=shared_relro + +# neverallow non-isolated uids into isolated_app domain +# and vice versa +neverallow user=_isolated domain=((?!isolated_app).)* +neverallow user=((?!_isolated).)* domain=isolated_app + +# uid shell should always be in shell domain, however non-shell +# uid's can be in shell domain +neverallow user=shell domain=((?!shell).)* + +# only the package named com.android.shell can run in the shell domain +neverallow domain=shell name=((?!com\.android\.shell).)* +neverallow user=shell name=((?!com\.android\.shell).)* + +# Ephemeral Apps must run in the ephemeral_app domain +neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* + +isSystemServer=true domain=system_server +user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all +user=system seinfo=platform domain=system_app type=system_app_data_file +user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file +user=nfc seinfo=platform domain=nfc type=nfc_data_file +user=secure_element seinfo=platform domain=secure_element levelFrom=all +user=radio seinfo=platform domain=radio type=radio_data_file +user=shared_relro domain=shared_relro +user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file +user=webview_zygote seinfo=webview_zygote domain=webview_zygote +user=_isolated domain=isolated_app levelFrom=all +user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user +user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user +user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all +user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all +user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user +user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user diff --git a/prebuilts/api/28.0/private/secure_element.te b/prebuilts/api/28.0/private/secure_element.te new file mode 100644 index 000000000..57f512bbd --- /dev/null +++ b/prebuilts/api/28.0/private/secure_element.te @@ -0,0 +1,14 @@ +# secure element subsystem +typeattribute secure_element coredomain; +app_domain(secure_element) + +binder_service(secure_element) +add_service(secure_element, secure_element_service) + +allow secure_element app_api_service:service_manager find; +hal_client_domain(secure_element, hal_secure_element) + +# already open bugreport file descriptors may be shared with +# the secure element process, from a file in +# /data/data/com.android.shell/files/bugreports/bugreport-*. +allow secure_element shell_data_file:file read; diff --git a/prebuilts/api/28.0/private/security_classes b/prebuilts/api/28.0/private/security_classes new file mode 100644 index 000000000..251b72168 --- /dev/null +++ b/prebuilts/api/28.0/private/security_classes @@ -0,0 +1,146 @@ +# FLASK + +# +# Define the security object classes +# + +# Classes marked as userspace are classes +# for userspace object managers + +class security +class process +class system +class capability + +# file-related classes +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file + +# network-related classes +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket +class bpf + +# sysv-ipc-related classes +class sem +class msg +class msgq +class shm +class ipc + +# extended netlink sockets +class netlink_route_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_dnrt_socket + +# IPSec association +class association + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket + +class appletalk_socket + +class packet + +# Kernel access key retention +class key + +class dccp_socket + +class memprotect + +# network peer labels +class peer + +# Capabilities >= 32 +class capability2 + +# kernel services that need to override task security, e.g. cachefiles +class kernel_service + +class tun_socket + +class binder + +# Updated netlink classes for more recent netlink protocols. +class netlink_iscsi_socket +class netlink_fib_lookup_socket +class netlink_connector_socket +class netlink_netfilter_socket +class netlink_generic_socket +class netlink_scsitransport_socket +class netlink_rdma_socket +class netlink_crypto_socket + +# Capability checks when on a non-init user namespace +class cap_userns +class cap2_userns + +# New socket classes introduced by extended_socket_class policy capability. +# These two were previously mapped to rawip_socket. +class sctp_socket +class icmp_socket +# These were previously mapped to socket. +class ax25_socket +class ipx_socket +class netrom_socket +class atmpvc_socket +class x25_socket +class rose_socket +class decnet_socket +class atmsvc_socket +class rds_socket +class irda_socket +class pppox_socket +class llc_socket +class can_socket +class tipc_socket +class bluetooth_socket +class iucv_socket +class rxrpc_socket +class isdn_socket +class phonet_socket +class ieee802154_socket +class caif_socket +class alg_socket +class nfc_socket +class vsock_socket +class kcm_socket +class qipcrtr_socket +class smc_socket + +# Property service +class property_service # userspace + +# Service manager +class service_manager # userspace + +# hardware service manager # userspace +class hwservice_manager + +# Keystore Key +class keystore_key # userspace + +class drmservice # userspace +# FLASK diff --git a/prebuilts/api/28.0/private/service.te b/prebuilts/api/28.0/private/service.te new file mode 100644 index 000000000..3fec8825a --- /dev/null +++ b/prebuilts/api/28.0/private/service.te @@ -0,0 +1,2 @@ +type stats_service, service_manager_type; +type statscompanion_service, system_server_service, service_manager_type; diff --git a/prebuilts/api/28.0/private/service_contexts b/prebuilts/api/28.0/private/service_contexts new file mode 100644 index 000000000..5ec45a23e --- /dev/null +++ b/prebuilts/api/28.0/private/service_contexts @@ -0,0 +1,188 @@ +accessibility u:object_r:accessibility_service:s0 +account u:object_r:account_service:s0 +activity u:object_r:activity_service:s0 +alarm u:object_r:alarm_service:s0 +android.os.UpdateEngineService u:object_r:update_engine_service:s0 +android.security.keystore u:object_r:keystore_service:s0 +android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0 +appops u:object_r:appops_service:s0 +appwidget u:object_r:appwidget_service:s0 +assetatlas u:object_r:assetatlas_service:s0 +audio u:object_r:audio_service:s0 +autofill u:object_r:autofill_service:s0 +backup u:object_r:backup_service:s0 +batteryproperties u:object_r:batteryproperties_service:s0 +batterystats u:object_r:batterystats_service:s0 +battery u:object_r:battery_service:s0 +binder_calls_stats u:object_r:binder_calls_stats_service:s0 +bluetooth_manager u:object_r:bluetooth_manager_service:s0 +bluetooth u:object_r:bluetooth_service:s0 +broadcastradio u:object_r:broadcastradio_service:s0 +carrier_config u:object_r:radio_service:s0 +clipboard u:object_r:clipboard_service:s0 +com.android.net.IProxyService u:object_r:IProxyService_service:s0 +commontime_management u:object_r:commontime_management_service:s0 +common_time.clock u:object_r:mediaserver_service:s0 +common_time.config u:object_r:mediaserver_service:s0 +companiondevice u:object_r:companion_device_service:s0 +connectivity u:object_r:connectivity_service:s0 +connmetrics u:object_r:connmetrics_service:s0 +consumer_ir u:object_r:consumer_ir_service:s0 +content u:object_r:content_service:s0 +contexthub u:object_r:contexthub_service:s0 +country_detector u:object_r:country_detector_service:s0 +coverage u:object_r:coverage_service:s0 +cpuinfo u:object_r:cpuinfo_service:s0 +crossprofileapps u:object_r:crossprofileapps_service:s0 +dbinfo u:object_r:dbinfo_service:s0 +device_policy u:object_r:device_policy_service:s0 +device_identifiers u:object_r:device_identifiers_service:s0 +deviceidle u:object_r:deviceidle_service:s0 +devicestoragemonitor u:object_r:devicestoragemonitor_service:s0 +diskstats u:object_r:diskstats_service:s0 +display u:object_r:display_service:s0 +netd_listener u:object_r:netd_listener_service:s0 +network_watchlist u:object_r:network_watchlist_service:s0 +DockObserver u:object_r:DockObserver_service:s0 +dreams u:object_r:dreams_service:s0 +drm.drmManager u:object_r:drmserver_service:s0 +dropbox u:object_r:dropbox_service:s0 +dumpstate u:object_r:dumpstate_service:s0 +econtroller u:object_r:radio_service:s0 +euicc_card_controller u:object_r:radio_service:s0 +lowpan u:object_r:lowpan_service:s0 +ethernet u:object_r:ethernet_service:s0 +fingerprint u:object_r:fingerprint_service:s0 +font u:object_r:font_service:s0 +android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0 +gfxinfo u:object_r:gfxinfo_service:s0 +graphicsstats u:object_r:graphicsstats_service:s0 +gpu u:object_r:gpu_service:s0 +hardware u:object_r:hardware_service:s0 +hardware_properties u:object_r:hardware_properties_service:s0 +hdmi_control u:object_r:hdmi_control_service:s0 +incident u:object_r:incident_service:s0 +inputflinger u:object_r:inputflinger_service:s0 +input_method u:object_r:input_method_service:s0 +input u:object_r:input_service:s0 +installd u:object_r:installd_service:s0 +iphonesubinfo_msim u:object_r:radio_service:s0 +iphonesubinfo2 u:object_r:radio_service:s0 +iphonesubinfo u:object_r:radio_service:s0 +ims u:object_r:radio_service:s0 +imms u:object_r:imms_service:s0 +ipsec u:object_r:ipsec_service:s0 +isms_msim u:object_r:radio_service:s0 +isms2 u:object_r:radio_service:s0 +isms u:object_r:radio_service:s0 +isub u:object_r:radio_service:s0 +jobscheduler u:object_r:jobscheduler_service:s0 +launcherapps u:object_r:launcherapps_service:s0 +location u:object_r:location_service:s0 +lock_settings u:object_r:lock_settings_service:s0 +media.aaudio u:object_r:audioserver_service:s0 +media.audio_flinger u:object_r:audioserver_service:s0 +media.audio_policy u:object_r:audioserver_service:s0 +media.camera u:object_r:cameraserver_service:s0 +media.camera.proxy u:object_r:cameraproxy_service:s0 +media.log u:object_r:audioserver_service:s0 +media.player u:object_r:mediaserver_service:s0 +media.metrics u:object_r:mediametrics_service:s0 +media.extractor u:object_r:mediaextractor_service:s0 +media.extractor.update u:object_r:mediaextractor_update_service:s0 +media.codec u:object_r:mediacodec_service:s0 +media.resource_manager u:object_r:mediaserver_service:s0 +media.sound_trigger_hw u:object_r:audioserver_service:s0 +media.drm u:object_r:mediadrmserver_service:s0 +media_projection u:object_r:media_projection_service:s0 +media_resource_monitor u:object_r:media_session_service:s0 +media_router u:object_r:media_router_service:s0 +media_session u:object_r:media_session_service:s0 +meminfo u:object_r:meminfo_service:s0 +midi u:object_r:midi_service:s0 +mount u:object_r:mount_service:s0 +netd u:object_r:netd_service:s0 +netpolicy u:object_r:netpolicy_service:s0 +netstats u:object_r:netstats_service:s0 +network_management u:object_r:network_management_service:s0 +network_score u:object_r:network_score_service:s0 +network_time_update_service u:object_r:network_time_update_service:s0 +nfc u:object_r:nfc_service:s0 +notification u:object_r:notification_service:s0 +oem_lock u:object_r:oem_lock_service:s0 +otadexopt u:object_r:otadexopt_service:s0 +overlay u:object_r:overlay_service:s0 +package u:object_r:package_service:s0 +package_native u:object_r:package_native_service:s0 +perfprofd u:object_r:perfprofd_service:s0 +permission u:object_r:permission_service:s0 +persistent_data_block u:object_r:persistent_data_block_service:s0 +phone_msim u:object_r:radio_service:s0 +phone1 u:object_r:radio_service:s0 +phone2 u:object_r:radio_service:s0 +phone u:object_r:radio_service:s0 +pinner u:object_r:pinner_service:s0 +power u:object_r:power_service:s0 +print u:object_r:print_service:s0 +processinfo u:object_r:processinfo_service:s0 +procstats u:object_r:procstats_service:s0 +radio.phonesubinfo u:object_r:radio_service:s0 +radio.phone u:object_r:radio_service:s0 +radio.sms u:object_r:radio_service:s0 +recovery u:object_r:recovery_service:s0 +restrictions u:object_r:restrictions_service:s0 +rttmanager u:object_r:rttmanager_service:s0 +samplingprofiler u:object_r:samplingprofiler_service:s0 +scheduling_policy u:object_r:scheduling_policy_service:s0 +search u:object_r:search_service:s0 +secure_element u:object_r:secure_element_service:s0 +sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0 +sensorservice u:object_r:sensorservice_service:s0 +serial u:object_r:serial_service:s0 +servicediscovery u:object_r:servicediscovery_service:s0 +settings u:object_r:settings_service:s0 +shortcut u:object_r:shortcut_service:s0 +simphonebook_msim u:object_r:radio_service:s0 +simphonebook2 u:object_r:radio_service:s0 +simphonebook u:object_r:radio_service:s0 +sip u:object_r:radio_service:s0 +slice u:object_r:slice_service:s0 +stats u:object_r:stats_service:s0 +statscompanion u:object_r:statscompanion_service:s0 +soundtrigger u:object_r:voiceinteraction_service:s0 +statusbar u:object_r:statusbar_service:s0 +storaged u:object_r:storaged_service:s0 +storaged_pri u:object_r:storaged_service:s0 +storagestats u:object_r:storagestats_service:s0 +SurfaceFlinger u:object_r:surfaceflinger_service:s0 +system_update u:object_r:system_update_service:s0 +task u:object_r:task_service:s0 +telecom u:object_r:telecom_service:s0 +telephony.registry u:object_r:registry_service:s0 +textclassification u:object_r:textclassification_service:s0 +textservices u:object_r:textservices_service:s0 +timezone u:object_r:timezone_service:s0 +thermalservice u:object_r:thermal_service:s0 +trust u:object_r:trust_service:s0 +tv_input u:object_r:tv_input_service:s0 +uimode u:object_r:uimode_service:s0 +updatelock u:object_r:updatelock_service:s0 +usagestats u:object_r:usagestats_service:s0 +usb u:object_r:usb_service:s0 +user u:object_r:user_service:s0 +vibrator u:object_r:vibrator_service:s0 +virtual_touchpad u:object_r:virtual_touchpad_service:s0 +voiceinteraction u:object_r:voiceinteraction_service:s0 +vold u:object_r:vold_service:s0 +vr_hwc u:object_r:vr_hwc_service:s0 +vrmanager u:object_r:vr_manager_service:s0 +wallpaper u:object_r:wallpaper_service:s0 +webviewupdate u:object_r:webviewupdate_service:s0 +wifip2p u:object_r:wifip2p_service:s0 +wifiscanner u:object_r:wifiscanner_service:s0 +wifi u:object_r:wifi_service:s0 +wificond u:object_r:wificond_service:s0 +wifiaware u:object_r:wifiaware_service:s0 +wifirtt u:object_r:rttmanager_service:s0 +window u:object_r:window_service:s0 +* u:object_r:default_android_service:s0 diff --git a/prebuilts/api/28.0/private/servicemanager.te b/prebuilts/api/28.0/private/servicemanager.te new file mode 100644 index 000000000..9f675a2be --- /dev/null +++ b/prebuilts/api/28.0/private/servicemanager.te @@ -0,0 +1,5 @@ +typeattribute servicemanager coredomain; + +init_daemon_domain(servicemanager) + +read_runtime_log_tags(servicemanager) diff --git a/prebuilts/api/28.0/private/sgdisk.te b/prebuilts/api/28.0/private/sgdisk.te new file mode 100644 index 000000000..a17342e01 --- /dev/null +++ b/prebuilts/api/28.0/private/sgdisk.te @@ -0,0 +1 @@ +typeattribute sgdisk coredomain; diff --git a/prebuilts/api/28.0/private/shared_relro.te b/prebuilts/api/28.0/private/shared_relro.te new file mode 100644 index 000000000..02f720682 --- /dev/null +++ b/prebuilts/api/28.0/private/shared_relro.te @@ -0,0 +1,5 @@ +typeattribute shared_relro coredomain; + +# The shared relro process is a Java program forked from the zygote, so it +# inherits from app to get basic permissions it needs to run. +app_domain(shared_relro) diff --git a/prebuilts/api/28.0/private/shell.te b/prebuilts/api/28.0/private/shell.te new file mode 100644 index 000000000..130a13015 --- /dev/null +++ b/prebuilts/api/28.0/private/shell.te @@ -0,0 +1,53 @@ +typeattribute shell coredomain; + +# allow shell input injection +allow shell uhid_device:chr_file rw_file_perms; + +# systrace support - allow atrace to run +allow shell debugfs_tracing_debug:dir r_dir_perms; +allow shell debugfs_tracing:dir r_dir_perms; +allow shell debugfs_tracing:file rw_file_perms; +allow shell debugfs_trace_marker:file getattr; +allow shell atrace_exec:file rx_file_perms; + +userdebug_or_eng(` + allow shell debugfs_tracing_debug:file rw_file_perms; +') + +# read config.gz for CTS purposes +allow shell config_gz:file r_file_perms; + +# Run app_process. +# XXX Transition into its own domain? +app_domain(shell) + +# allow shell to call dumpsys storaged +binder_call(shell, storaged) + +# Perform SELinux access checks, needed for CTS +selinux_check_access(shell) +selinux_check_context(shell) + +# Control Perfetto traced and obtain traces from it. +# Needed for Studio and debugging. +unix_socket_connect(shell, traced_consumer, traced) + +# Allow shell binaries to write trace data to Perfetto. Used for testing and +# cmdline utils. +allow shell traced:fd use; +allow shell traced_tmpfs:file { read write getattr map }; +unix_socket_connect(shell, traced_producer, traced) + +domain_auto_trans(shell, vendor_shell_exec, vendor_shell) + +# Allow shell binaries to exec the perfetto cmdline util and have that +# transition into its own domain, so that it behaves consistently to +# when exec()-d by statsd. +domain_auto_trans(shell, perfetto_exec, perfetto) + +# Allow shell to run adb shell cmd stats commands. Needed for CTS. +binder_call(shell, statsd); + +# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces. +allow shell perfetto_traces_data_file:dir rw_dir_perms; +allow shell perfetto_traces_data_file:file r_file_perms; diff --git a/prebuilts/api/28.0/private/slideshow.te b/prebuilts/api/28.0/private/slideshow.te new file mode 100644 index 000000000..7dfa994ea --- /dev/null +++ b/prebuilts/api/28.0/private/slideshow.te @@ -0,0 +1 @@ +typeattribute slideshow coredomain; diff --git a/prebuilts/api/28.0/private/stats.te b/prebuilts/api/28.0/private/stats.te new file mode 100644 index 000000000..be8cfbd25 --- /dev/null +++ b/prebuilts/api/28.0/private/stats.te @@ -0,0 +1,25 @@ +type stats, domain; +typeattribute stats coredomain; +type stats_exec, exec_type, file_type; + +# switch to stats domain for stats command +domain_auto_trans(shell, stats_exec, stats) + +# allow stats access to stdout from its parent shell. +allow stats shell:fd use; + +# allow stats to communicate use, read and write over the adb +# connection. +allow stats adbd:fd use; +allow stats adbd:unix_stream_socket { read write }; + +# allow adbd to reap stats +allow stats adbd:process { sigchld }; + +# Allow the stats command to talk to the statsd over the binder, and get +# back the stats report data from a ParcelFileDescriptor. +binder_use(stats) +allow stats stats_service:service_manager find; +binder_call(stats, statsd) +allow stats statsd:fifo_file write; + diff --git a/prebuilts/api/28.0/private/statsd.te b/prebuilts/api/28.0/private/statsd.te new file mode 100644 index 000000000..fec10a4b6 --- /dev/null +++ b/prebuilts/api/28.0/private/statsd.te @@ -0,0 +1,107 @@ +type statsd, domain; +typeattribute statsd coredomain; + +init_daemon_domain(statsd) + +type statsd_exec, exec_type, file_type; +binder_use(statsd) + +# Allow statsd to scan through /proc/pid for all processes. +r_dir_file(statsd, domain) + +# Allow executing files on system, such as running a shell or running: +# /system/bin/toolbox +# /system/bin/logcat +# /system/bin/dumpsys +allow statsd devpts:chr_file { getattr ioctl read write }; +allow statsd shell_exec:file rx_file_perms; +allow statsd system_file:file execute_no_trans; +allow statsd toolbox_exec:file rx_file_perms; + +userdebug_or_eng(` + allow statsd su:fifo_file read; +') + +# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system. +allow statsd stats_data_file:dir create_dir_perms; +allow statsd stats_data_file:file create_file_perms; + +# Allow statsd to make binder calls to any binder service. +binder_call(statsd, appdomain) +binder_call(statsd, healthd) +binder_call(statsd, incidentd) +userdebug_or_eng(` + binder_call(statsd, perfprofd) +') +binder_call(statsd, statscompanion_service) +binder_call(statsd, system_server) + +# Allow logd access. +read_logd(statsd) +control_logd(statsd) + +# Allow to exec the perfetto cmdline client and pass it the trace config on +# stdint through a pipe. It allows statsd to capture traces and hand them +# to Android dropbox. +allow statsd perfetto_exec:file rx_file_perms; +domain_auto_trans(statsd, perfetto_exec, perfetto) + +# Grant statsd with permissions to register the services. +allow statsd { + app_api_service + incident_service + statscompanion_service + system_api_service +}:service_manager find; + +# Grant statsd to access health hal to access battery metrics. +allow statsd hal_health_hwservice:hwservice_manager find; + +# Only statsd can publish the binder service. +add_service(statsd, stats_service) + +# Allow pipes from (and only from) stats. +allow statsd stats:fd use; +allow statsd stats:fifo_file write; + +# Allow statsd to send dump info to dumpstate +allow statsd dumpstate:fd use; +allow statsd dumpstate:fifo_file { getattr write }; + +# Allow statsd to call back to stats with status updates. +binder_call(statsd, stats) + +# Allow access to with hardware layer and process stats. +allow statsd proc_uid_cputime_showstat:file { getattr open read }; +hal_client_domain(statsd, hal_power) +hal_client_domain(statsd, hal_thermal) + +# Allow 'adb shell cmd' to upload configs and download output. +allow statsd adbd:fd use; +allow statsd adbd:unix_stream_socket { getattr read write }; +allow statsd shell:fifo_file { getattr read }; + +### +### neverallow rules +### + +# Only system_server, system_app, traceur_app, and stats command can find the stats service. +neverallow { + domain + -dumpstate + -priv_app + -shell + -stats + -statsd + -system_app + -system_server + -traceur_app +} stats_service:service_manager find; + +# Only statsd and the other root services in limited circumstances. +# can get to the files in /data/misc/stats-data, /data/misc/stats-service. +# Other services are prohibitted from accessing the file. +neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *; + +# Limited access to the directory itself. +neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *; diff --git a/prebuilts/api/28.0/private/storaged.te b/prebuilts/api/28.0/private/storaged.te new file mode 100644 index 000000000..8ad872f61 --- /dev/null +++ b/prebuilts/api/28.0/private/storaged.te @@ -0,0 +1,61 @@ +# storaged daemon +type storaged, domain, coredomain, mlstrustedsubject; +type storaged_exec, exec_type, file_type; + +init_daemon_domain(storaged) + +# Read access to pseudo filesystems +r_dir_file(storaged, proc_net) +r_dir_file(storaged, domain) + +# Read /proc/uid_io/stats +allow storaged proc_uid_io_stats:file r_file_perms; + +# Read /data/system/packages.list +allow storaged system_data_file:file r_file_perms; + +# Store storaged proto file +allow storaged storaged_data_file:dir rw_dir_perms; +allow storaged storaged_data_file:file create_file_perms; + +userdebug_or_eng(` + # Read access to debugfs + allow storaged debugfs_mmc:dir search; + allow storaged debugfs_mmc:file r_file_perms; +') + +# Needed to provide debug dump output via dumpsys pipes. +allow storaged shell:fd use; +allow storaged shell:fifo_file write; + +# Needed for GMScore to call dumpsys storaged +allow storaged priv_app:fd use; +allow storaged app_data_file:file write; +allow storaged permission_service:service_manager find; + +# Binder permissions +add_service(storaged, storaged_service) + +binder_use(storaged) +binder_call(storaged, system_server) + +hal_client_domain(storaged, hal_health) + +# Implements a dumpsys interface. +allow storaged dumpstate:fd use; + +# use a subset of the package manager service +allow storaged package_native_service:service_manager find; + +# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is +# running as root. See b/35323867 #3. +dontaudit storaged self:global_capability_class_set dac_override; + +# For collecting bugreports. +allow storaged dumpstate:fifo_file write; + +### +### neverallow +### +neverallow storaged domain:process ptrace; +neverallow storaged self:capability_class_set *; diff --git a/prebuilts/api/28.0/private/su.te b/prebuilts/api/28.0/private/su.te new file mode 100644 index 000000000..16e47bbbf --- /dev/null +++ b/prebuilts/api/28.0/private/su.te @@ -0,0 +1,23 @@ +userdebug_or_eng(` + typeattribute su coredomain; + + domain_auto_trans(shell, su_exec, su) + # Allow dumpstate to call su on userdebug / eng builds to collect + # additional information. + domain_auto_trans(dumpstate, su_exec, su) + + # Make sure that dumpstate runs the same from the "su" domain as + # from the "init" domain. + domain_auto_trans(su, dumpstate_exec, dumpstate) + + # Put the incident command into its domain so it is the same on user, userdebug and eng. + domain_auto_trans(su, incident_exec, incident) + + # Put the perfetto command into its domain so it is the same on user, userdebug and eng. + domain_auto_trans(su, perfetto_exec, perfetto) + + # su is also permissive to permit setenforce. + permissive su; + + app_domain(su) +') diff --git a/prebuilts/api/28.0/private/surfaceflinger.te b/prebuilts/api/28.0/private/surfaceflinger.te new file mode 100644 index 000000000..e64b8de2c --- /dev/null +++ b/prebuilts/api/28.0/private/surfaceflinger.te @@ -0,0 +1,120 @@ +# surfaceflinger - display compositor service + +typeattribute surfaceflinger coredomain; + +type surfaceflinger_exec, exec_type, file_type; +init_daemon_domain(surfaceflinger) + +typeattribute surfaceflinger mlstrustedsubject; +typeattribute surfaceflinger display_service_server; + +read_runtime_log_tags(surfaceflinger) + +# Perform HwBinder IPC. +hal_client_domain(surfaceflinger, hal_graphics_allocator) +hal_client_domain(surfaceflinger, hal_graphics_composer) +hal_client_domain(surfaceflinger, hal_configstore) +allow surfaceflinger hidl_token_hwservice:hwservice_manager find; + +# Perform Binder IPC. +binder_use(surfaceflinger) +binder_call(surfaceflinger, binderservicedomain) +binder_call(surfaceflinger, appdomain) +binder_call(surfaceflinger, bootanim) +binder_service(surfaceflinger) + +# Binder IPC to bu, presently runs in adbd domain. +binder_call(surfaceflinger, adbd) + +# Read /proc/pid files for Binder clients. +r_dir_file(surfaceflinger, binderservicedomain) +r_dir_file(surfaceflinger, appdomain) + +# Access the GPU. +allow surfaceflinger gpu_device:chr_file rw_file_perms; + +# Access /dev/graphics/fb0. +allow surfaceflinger graphics_device:dir search; +allow surfaceflinger graphics_device:chr_file rw_file_perms; + +# Access /dev/video1. +allow surfaceflinger video_device:dir r_dir_perms; +allow surfaceflinger video_device:chr_file rw_file_perms; + +# Create and use netlink kobject uevent sockets. +allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Set properties. +set_prop(surfaceflinger, system_prop) +set_prop(surfaceflinger, exported_system_prop) +set_prop(surfaceflinger, exported2_system_prop) +set_prop(surfaceflinger, exported3_system_prop) +set_prop(surfaceflinger, ctl_bootanim_prop) + +# Use open files supplied by an app. +allow surfaceflinger appdomain:fd use; +allow surfaceflinger app_data_file:file { read write }; + +# Allow writing surface traces to /data/misc/wmtrace. +userdebug_or_eng(` + allow surfaceflinger wm_trace_data_file:dir rw_dir_perms; + allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms }; +') + +# Use socket supplied by adbd, for cmd gpu vkjson etc. +allow surfaceflinger adbd:unix_stream_socket { read write getattr }; + +# Allow a dumpstate triggered screenshot +binder_call(surfaceflinger, dumpstate) +binder_call(surfaceflinger, shell) +r_dir_file(surfaceflinger, dumpstate) + +# Needed on some devices for playing DRM protected content, +# but seems expected and appropriate for all devices. +allow surfaceflinger tee_device:chr_file rw_file_perms; + + +# media.player service +add_service(surfaceflinger, gpu_service) + +# do not use add_service() as hal_graphics_composer_default may be the +# provider as well +#add_service(surfaceflinger, surfaceflinger_service) +allow surfaceflinger surfaceflinger_service:service_manager { add find }; + +allow surfaceflinger mediaserver_service:service_manager find; +allow surfaceflinger permission_service:service_manager find; +allow surfaceflinger power_service:service_manager find; +allow surfaceflinger vr_manager_service:service_manager find; +allow surfaceflinger window_service:service_manager find; + + +# allow self to set SCHED_FIFO +allow surfaceflinger self:global_capability_class_set sys_nice; +allow surfaceflinger proc_meminfo:file r_file_perms; +r_dir_file(surfaceflinger, cgroup) +r_dir_file(surfaceflinger, system_file) +allow surfaceflinger tmpfs:dir r_dir_perms; +allow surfaceflinger system_server:fd use; +allow surfaceflinger ion_device:chr_file r_file_perms; + +# pdx IPC +pdx_server(surfaceflinger, display_client) +pdx_server(surfaceflinger, display_manager) +pdx_server(surfaceflinger, display_screenshot) +pdx_server(surfaceflinger, display_vsync) + +pdx_client(surfaceflinger, bufferhub_client) +pdx_client(surfaceflinger, performance_client) + +### +### Neverallow rules +### +### surfaceflinger should NEVER do any of this + +# Do not allow accessing SDcard files as unsafe ejection could +# cause the kernel to kill the process. +neverallow surfaceflinger sdcard_type:file rw_file_perms; + +# b/68864350 +dontaudit surfaceflinger unlabeled:dir search; diff --git a/prebuilts/api/28.0/private/system_app.te b/prebuilts/api/28.0/private/system_app.te new file mode 100644 index 000000000..eb7e05052 --- /dev/null +++ b/prebuilts/api/28.0/private/system_app.te @@ -0,0 +1,129 @@ +### +### Apps that run with the system UID, e.g. com.android.system.ui, +### com.android.settings. These are not as privileged as the system +### server. +### + +typeattribute system_app coredomain; + +app_domain(system_app) +net_domain(system_app) +binder_service(system_app) + +# android.ui and system.ui +allow system_app rootfs:dir getattr; + +# Read and write /data/data subdirectory. +allow system_app system_app_data_file:dir create_dir_perms; +allow system_app system_app_data_file:{ file lnk_file } create_file_perms; + +# Read and write to /data/misc/user. +allow system_app misc_user_data_file:dir create_dir_perms; +allow system_app misc_user_data_file:file create_file_perms; + +# Access to vold-mounted storage for measuring free space +allow system_app mnt_media_rw_file:dir search; + +# Read wallpaper file. +allow system_app wallpaper_file:file r_file_perms; + +# Read icon file. +allow system_app icon_file:file r_file_perms; + +# Write to properties +set_prop(system_app, bluetooth_a2dp_offload_prop) +set_prop(system_app, bluetooth_prop) +set_prop(system_app, debug_prop) +set_prop(system_app, system_prop) +set_prop(system_app, exported_bluetooth_prop) +set_prop(system_app, exported_system_prop) +set_prop(system_app, exported2_system_prop) +set_prop(system_app, exported3_system_prop) +set_prop(system_app, logd_prop) +set_prop(system_app, net_radio_prop) +set_prop(system_app, system_radio_prop) +set_prop(system_app, exported_system_radio_prop) +set_prop(system_app, log_tag_prop) +userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)') +auditallow system_app net_radio_prop:property_service set; +auditallow system_app system_radio_prop:property_service set; +auditallow system_app exported_system_radio_prop:property_service set; + +# ctl interface +set_prop(system_app, ctl_default_prop) +set_prop(system_app, ctl_bugreport_prop) + +# Create /data/anr/traces.txt. +allow system_app anr_data_file:dir ra_dir_perms; +allow system_app anr_data_file:file create_file_perms; + +# Settings need to access app name and icon from asec +allow system_app asec_apk_file:file r_file_perms; + +# Allow system apps (like Settings) to interact with statsd +binder_call(system_app, statsd) + +# Allow system apps to interact with incidentd +binder_call(system_app, incidentd) + +allow system_app servicemanager:service_manager list; +# TODO: scope this down? Too broad? +allow system_app { + service_manager_type + -dumpstate_service + -installd_service + -netd_service + -virtual_touchpad_service + -vold_service + -vr_hwc_service +}:service_manager find; +# suppress denials for services system_app should not be accessing. +dontaudit system_app { + dumpstate_service + installd_service + netd_service + virtual_touchpad_service + vold_service + vr_hwc_service +}:service_manager find; + +allow system_app keystore:keystore_key { + get_state + get + insert + delete + exist + list + reset + password + lock + unlock + is_empty + sign + verify + grant + duplicate + clear_uid + user_changed +}; + +# settings app reads /proc/version +allow system_app { + proc_version +}:file r_file_perms; + +control_logd(system_app) +read_runtime_log_tags(system_app) +get_prop(system_app, device_logging_prop) + +# allow system apps to use UDP sockets provided by the system server but not +# modify them other than to connect +allow system_app system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +### +### Neverallow rules +### + +# app domains which access /dev/fuse should not run as system_app +neverallow system_app fuse_device:chr_file *; diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te new file mode 100644 index 000000000..9830bd6a9 --- /dev/null +++ b/prebuilts/api/28.0/private/system_server.te @@ -0,0 +1,852 @@ +# +# System Server aka system_server spawned by zygote. +# Most of the framework services run in this process. +# + +typeattribute system_server coredomain; +typeattribute system_server mlstrustedsubject; + +# Define a type for tmpfs-backed ashmem regions. +tmpfs_domain(system_server) + +# Create a socket for connections from crash_dump. +type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; + +allow system_server zygote_tmpfs:file read; + +# For art. +allow system_server dalvikcache_data_file:dir r_dir_perms; +allow system_server dalvikcache_data_file:file r_file_perms; + +# When running system server under --invoke-with, we'll try to load the boot image under the +# system server domain, following links to the system partition. +with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;') + +# /data/resource-cache +allow system_server resourcecache_data_file:file r_file_perms; +allow system_server resourcecache_data_file:dir r_dir_perms; + +# ptrace to processes in the same domain for debugging crashes. +allow system_server self:process ptrace; + +# Child of the zygote. +allow system_server zygote:fd use; +allow system_server zygote:process sigchld; + +# May kill zygote on crashes. +allow system_server zygote:process sigkill; +allow system_server crash_dump:process sigkill; +allow system_server webview_zygote:process sigkill; + +# Read /system/bin/app_process. +allow system_server zygote_exec:file r_file_perms; + +# Needed to close the zygote socket, which involves getopt / getattr +allow system_server zygote:unix_stream_socket { getopt getattr }; + +# system server gets network and bluetooth permissions. +net_domain(system_server) +# in addition to ioctls whitelisted for all domains, also allow system_server +# to use privileged ioctls commands. Needed to set up VPNs. +allowxperm system_server self:udp_socket ioctl priv_sock_ioctls; +bluetooth_domain(system_server) + +# These are the capabilities assigned by the zygote to the +# system server. +allow system_server self:global_capability_class_set { + ipc_lock + kill + net_admin + net_bind_service + net_broadcast + net_raw + sys_boot + sys_nice + sys_ptrace + sys_time + sys_tty_config +}; + +wakelock_use(system_server) + +# Trigger module auto-load. +allow system_server kernel:system module_request; + +# Allow alarmtimers to be set +allow system_server self:global_capability2_class_set wake_alarm; + +# Create and share netlink_netfilter_sockets for tetheroffload. +allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl; + +# Use netlink uevent sockets. +allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Use generic netlink sockets. +allow system_server self:netlink_socket create_socket_perms_no_ioctl; +allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl; + +# libvintf reads the kernel config to verify vendor interface compatibility. +allow system_server config_gz:file { read open }; + +# Use generic "sockets" where the address family is not known +# to the kernel. The ioctl permission is specifically omitted here, but may +# be added to device specific policy along with the ioctl commands to be +# whitelisted. +allow system_server self:socket create_socket_perms_no_ioctl; + +# Set and get routes directly via netlink. +allow system_server self:netlink_route_socket nlmsg_write; + +# Kill apps. +allow system_server appdomain:process { getpgid sigkill signal }; + +# Set scheduling info for apps. +allow system_server appdomain:process { getsched setsched }; +allow system_server audioserver:process { getsched setsched }; +allow system_server hal_audio:process { getsched setsched }; +allow system_server hal_bluetooth:process { getsched setsched }; +allow system_server cameraserver:process { getsched setsched }; +allow system_server hal_camera:process { getsched setsched }; +allow system_server mediaserver:process { getsched setsched }; +allow system_server bootanim:process { getsched setsched }; + +# Allow system_server to write to /proc//timerslack_ns +allow system_server appdomain:file w_file_perms; +allow system_server audioserver:file w_file_perms; +allow system_server cameraserver:file w_file_perms; +allow system_server hal_audio_server:file w_file_perms; + +# Read /proc/pid data for all domains. This is used by ProcessCpuTracker +# within system_server to keep track of memory and CPU usage for +# all processes on the device. In addition, /proc/pid files access is needed +# for dumping stack traces of native processes. +r_dir_file(system_server, domain) + +# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. +allow system_server qtaguid_proc:file rw_file_perms; +allow system_server qtaguid_device:chr_file rw_file_perms; + +# Write /proc/uid_cputime/remove_uid_range. +allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; + +# Write /proc/uid_procstat/set. +allow system_server proc_uid_procstat_set:file { w_file_perms getattr }; + +# Write to /proc/sysrq-trigger. +allow system_server proc_sysrq:file rw_file_perms; + +# Read /sys/kernel/debug/wakeup_sources. +allow system_server debugfs:file r_file_perms; +allow system_server debugfs_wakeup_sources:file r_file_perms; + +# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. +allow system_server stats_data_file:dir { open read remove_name search write }; +allow system_server stats_data_file:file unlink; + +# The DhcpClient and WifiWatchdog use packet_sockets +allow system_server self:packet_socket create_socket_perms_no_ioctl; + +# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same +# as raw sockets, but the kernel doesn't yet distinguish between the two. +allow system_server node:rawip_socket node_bind; + +# 3rd party VPN clients require a tun_socket to be created +allow system_server self:tun_socket create_socket_perms_no_ioctl; + +# Talk to init and various daemons via sockets. +unix_socket_connect(system_server, lmkd, lmkd) +unix_socket_connect(system_server, mtpd, mtp) +unix_socket_connect(system_server, netd, netd) +unix_socket_connect(system_server, zygote, zygote) +unix_socket_connect(system_server, racoon, racoon) +unix_socket_connect(system_server, uncrypt, uncrypt) + +# Communicate over a socket created by surfaceflinger. +allow system_server surfaceflinger:unix_stream_socket { read write setopt }; + +# Communicate over a socket created by webview_zygote. +allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; + +# Perform Binder IPC. +binder_use(system_server) +binder_call(system_server, appdomain) +binder_call(system_server, binderservicedomain) +binder_call(system_server, dumpstate) +binder_call(system_server, fingerprintd) +binder_call(system_server, gatekeeperd) +binder_call(system_server, installd) +binder_call(system_server, incidentd) +binder_call(system_server, netd) +binder_call(system_server, statsd) +binder_call(system_server, storaged) +binder_call(system_server, vold) +binder_call(system_server, wificond) +binder_call(system_server, wpantund) +binder_service(system_server) + +# Use HALs +hal_client_domain(system_server, hal_allocator) +hal_client_domain(system_server, hal_authsecret) +hal_client_domain(system_server, hal_broadcastradio) +hal_client_domain(system_server, hal_configstore) +hal_client_domain(system_server, hal_contexthub) +hal_client_domain(system_server, hal_fingerprint) +hal_client_domain(system_server, hal_gnss) +hal_client_domain(system_server, hal_graphics_allocator) +hal_client_domain(system_server, hal_health) +hal_client_domain(system_server, hal_ir) +hal_client_domain(system_server, hal_light) +hal_client_domain(system_server, hal_memtrack) +hal_client_domain(system_server, hal_neuralnetworks) +hal_client_domain(system_server, hal_oemlock) +allow system_server hal_codec2_hwservice:hwservice_manager find; +allow system_server hal_omx_hwservice:hwservice_manager find; +allow system_server hidl_token_hwservice:hwservice_manager find; +hal_client_domain(system_server, hal_power) +hal_client_domain(system_server, hal_sensors) +hal_client_domain(system_server, hal_tetheroffload) +hal_client_domain(system_server, hal_thermal) +hal_client_domain(system_server, hal_tv_cec) +hal_client_domain(system_server, hal_tv_input) +hal_client_domain(system_server, hal_usb) +hal_client_domain(system_server, hal_usb_gadget) +hal_client_domain(system_server, hal_vibrator) +hal_client_domain(system_server, hal_vr) +hal_client_domain(system_server, hal_weaver) +hal_client_domain(system_server, hal_wifi) +hal_client_domain(system_server, hal_wifi_hostapd) +hal_client_domain(system_server, hal_wifi_offload) +hal_client_domain(system_server, hal_wifi_supplicant) + +binder_call(system_server, mediacodec) + +# Talk with graphics composer fences +allow system_server hal_graphics_composer:fd use; + +# Use RenderScript always-passthrough HAL +allow system_server hal_renderscript_hwservice:hwservice_manager find; + +# Offer HwBinder services +add_hwservice(system_server, fwk_scheduler_hwservice) +add_hwservice(system_server, fwk_sensor_hwservice) + +# Talk to tombstoned to get ANR traces. +unix_socket_connect(system_server, tombstoned_intercept, tombstoned) + +# List HAL interfaces to get ANR traces. +allow system_server hwservicemanager:hwservice_manager list; + +# Send signals to trigger ANR traces. +allow system_server { + # This is derived from the list that system server defines as interesting native processes + # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in + # frameworks/base/services/core/java/com/android/server/Watchdog.java. + audioserver + cameraserver + drmserver + inputflinger + mediadrmserver + mediaextractor + mediaserver + mediametrics + sdcardd + statsd + surfaceflinger + + # This list comes from HAL_INTERFACES_OF_INTEREST in + # frameworks/base/services/core/java/com/android/server/Watchdog.java. + hal_audio_server + hal_bluetooth_server + hal_camera_server + hal_graphics_composer_server + hal_sensors_server + hal_vr_server + mediacodec # TODO(b/36375899): hal_omx_server +}:process { signal }; + +# Use sockets received over binder from various services. +allow system_server audioserver:tcp_socket rw_socket_perms; +allow system_server audioserver:udp_socket rw_socket_perms; +allow system_server mediaserver:tcp_socket rw_socket_perms; +allow system_server mediaserver:udp_socket rw_socket_perms; + +# Use sockets received over binder from various services. +allow system_server mediadrmserver:tcp_socket rw_socket_perms; +allow system_server mediadrmserver:udp_socket rw_socket_perms; + +# Get file context +allow system_server file_contexts_file:file r_file_perms; +# access for mac_permissions +allow system_server mac_perms_file: file r_file_perms; +# Check SELinux permissions. +selinux_check_access(system_server) + +allow system_server sysfs_type:dir search; + +r_dir_file(system_server, sysfs_android_usb) +allow system_server sysfs_android_usb:file w_file_perms; + +r_dir_file(system_server, sysfs_ipv4) +allow system_server sysfs_ipv4:file w_file_perms; + +r_dir_file(system_server, sysfs_rtc) +r_dir_file(system_server, sysfs_switch) +r_dir_file(system_server, sysfs_wakeup_reasons) + +allow system_server sysfs_nfc_power_writable:file rw_file_perms; +allow system_server sysfs_mac_address:file r_file_perms; +allow system_server sysfs_power:dir search; +allow system_server sysfs_power:file rw_file_perms; +allow system_server sysfs_thermal:dir search; +allow system_server sysfs_thermal:file r_file_perms; + +# TODO: Remove when HALs are forced into separate processes +allow system_server sysfs_vibrator:file { write append }; + +# TODO: added to match above sysfs rule. Remove me? +allow system_server sysfs_usb:file w_file_perms; + +# Access devices. +allow system_server device:dir r_dir_perms; +allow system_server mdns_socket:sock_file rw_file_perms; +allow system_server alarm_device:chr_file rw_file_perms; +allow system_server gpu_device:chr_file rw_file_perms; +allow system_server iio_device:chr_file rw_file_perms; +allow system_server input_device:dir r_dir_perms; +allow system_server input_device:chr_file rw_file_perms; +allow system_server radio_device:chr_file r_file_perms; +allow system_server tty_device:chr_file rw_file_perms; +allow system_server usbaccessory_device:chr_file rw_file_perms; +allow system_server video_device:dir r_dir_perms; +allow system_server video_device:chr_file rw_file_perms; +allow system_server adbd_socket:sock_file rw_file_perms; +allow system_server rtc_device:chr_file rw_file_perms; +allow system_server audio_device:dir r_dir_perms; + +# write access needed for MIDI +allow system_server audio_device:chr_file rw_file_perms; + +# tun device used for 3rd party vpn apps +allow system_server tun_device:chr_file rw_file_perms; + +# Manage system data files. +allow system_server system_data_file:dir create_dir_perms; +allow system_server system_data_file:notdevfile_class_set create_file_perms; +allow system_server keychain_data_file:dir create_dir_perms; +allow system_server keychain_data_file:file create_file_perms; +allow system_server keychain_data_file:lnk_file create_file_perms; + +# Manage /data/app. +allow system_server apk_data_file:dir create_dir_perms; +allow system_server apk_data_file:{ file lnk_file } { create_file_perms link }; +allow system_server apk_tmp_file:dir create_dir_perms; +allow system_server apk_tmp_file:file create_file_perms; + +# Access /vendor/{app,framework,overlay} +r_dir_file(system_server, vendor_app_file) +r_dir_file(system_server, vendor_framework_file) +r_dir_file(system_server, vendor_overlay_file) + +# Manage /data/app-private. +allow system_server apk_private_data_file:dir create_dir_perms; +allow system_server apk_private_data_file:file create_file_perms; +allow system_server apk_private_tmp_file:dir create_dir_perms; +allow system_server apk_private_tmp_file:file create_file_perms; + +# Manage files within asec containers. +allow system_server asec_apk_file:dir create_dir_perms; +allow system_server asec_apk_file:file create_file_perms; +allow system_server asec_public_file:file create_file_perms; + +# Manage /data/anr. +# +# TODO: Some of these permissions can be withdrawn once we've switched to the +# new stack dumping mechanism, see b/32064548 and the rules below. In particular, +# the system_server should never need to create a new anr_data_file:file or write +# to one, but it will still need to read and append to existing files. +allow system_server anr_data_file:dir create_dir_perms; +allow system_server anr_data_file:file create_file_perms; + +# New stack dumping scheme : request an output FD from tombstoned via a unix +# domain socket. +# +# Allow system_server to connect and write to the tombstoned java trace socket in +# order to dump its traces. Also allow the system server to write its traces to +# dumpstate during bugreport capture and incidentd during incident collection. +unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) +allow system_server tombstoned:fd use; +allow system_server dumpstate:fifo_file append; +allow system_server incidentd:fifo_file append; + +# Read /data/misc/incidents - only read. The fd will be sent over binder, +# with no DAC access to it, for dropbox to read. +allow system_server incident_data_file:file read; + +# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over +# binder. +allow system_server perfetto_traces_data_file:file read; +allow system_server perfetto:fd use; + +# Allow dropbox to read /data/misc/perfprofd. Only the fd is sent over binder. +userdebug_or_eng(` + allow system_server perfprofd_data_file:file read; + allow system_server perfprofd:fd use; +') + +# Manage /data/backup. +allow system_server backup_data_file:dir create_dir_perms; +allow system_server backup_data_file:file create_file_perms; + +# Write to /data/system/heapdump +allow system_server heapdump_data_file:dir rw_dir_perms; +allow system_server heapdump_data_file:file create_file_perms; + +# Manage /data/misc/adb. +allow system_server adb_keys_file:dir create_dir_perms; +allow system_server adb_keys_file:file create_file_perms; + +# Manage /data/misc/network_watchlist +allow system_server network_watchlist_data_file:dir create_dir_perms; +allow system_server network_watchlist_data_file:file create_file_perms; + +# Manage /data/misc/sms. +# TODO: Split into a separate type? +allow system_server radio_data_file:dir create_dir_perms; +allow system_server radio_data_file:file create_file_perms; + +# Manage /data/misc/systemkeys. +allow system_server systemkeys_data_file:dir create_dir_perms; +allow system_server systemkeys_data_file:file create_file_perms; + +# Manage /data/misc/textclassifier. +allow system_server textclassifier_data_file:dir create_dir_perms; +allow system_server textclassifier_data_file:file create_file_perms; + +# Access /data/tombstones. +allow system_server tombstone_data_file:dir r_dir_perms; +allow system_server tombstone_data_file:file r_file_perms; + +# Manage /data/misc/vpn. +allow system_server vpn_data_file:dir create_dir_perms; +allow system_server vpn_data_file:file create_file_perms; + +# Manage /data/misc/wifi. +allow system_server wifi_data_file:dir create_dir_perms; +allow system_server wifi_data_file:file create_file_perms; + +# Manage /data/misc/zoneinfo. +allow system_server zoneinfo_data_file:dir create_dir_perms; +allow system_server zoneinfo_data_file:file create_file_perms; + +# Walk /data/data subdirectories. +# Types extracted from seapp_contexts type= fields. +allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; +# Also permit for unlabeled /data/data subdirectories and +# for unlabeled asec containers on upgrades from 4.2. +allow system_server unlabeled:dir r_dir_perms; +# Read pkg.apk file before it has been relabeled by vold. +allow system_server unlabeled:file r_file_perms; + +# Populate com.android.providers.settings/databases/settings.db. +allow system_server system_app_data_file:dir create_dir_perms; +allow system_server system_app_data_file:file create_file_perms; + +# Receive and use open app data files passed over binder IPC. +# Types extracted from seapp_contexts type= fields. +allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append }; + +# Access to /data/media for measuring disk usage. +allow system_server media_rw_data_file:dir { search getattr open read }; + +# Receive and use open /data/media files passed over binder IPC. +# Also used for measuring disk usage. +allow system_server media_rw_data_file:file { getattr read write append }; + +# Relabel apk files. +allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; +allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; + +# Relabel wallpaper. +allow system_server system_data_file:file relabelfrom; +allow system_server wallpaper_file:file relabelto; +allow system_server wallpaper_file:file { rw_file_perms rename unlink }; + +# Backup of wallpaper imagery uses temporary hard links to avoid data churn +allow system_server { system_data_file wallpaper_file }:file link; + +# ShortcutManager icons +allow system_server system_data_file:dir relabelfrom; +allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto }; +allow system_server shortcut_manager_icons:file create_file_perms; + +# Manage ringtones. +allow system_server ringtone_file:dir { create_dir_perms relabelto }; +allow system_server ringtone_file:file create_file_perms; + +# Relabel icon file. +allow system_server icon_file:file relabelto; +allow system_server icon_file:file { rw_file_perms unlink }; + +# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? +allow system_server system_data_file:dir relabelfrom; + +# Property Service write +set_prop(system_server, system_prop) +set_prop(system_server, exported_system_prop) +set_prop(system_server, exported2_system_prop) +set_prop(system_server, exported3_system_prop) +set_prop(system_server, safemode_prop) +set_prop(system_server, dhcp_prop) +set_prop(system_server, net_radio_prop) +set_prop(system_server, net_dns_prop) +set_prop(system_server, system_radio_prop) +set_prop(system_server, exported_system_radio_prop) +set_prop(system_server, debug_prop) +set_prop(system_server, powerctl_prop) +set_prop(system_server, fingerprint_prop) +set_prop(system_server, exported_fingerprint_prop) +set_prop(system_server, device_logging_prop) +set_prop(system_server, dumpstate_options_prop) +set_prop(system_server, overlay_prop) +set_prop(system_server, exported_overlay_prop) +set_prop(system_server, pm_prop) +set_prop(system_server, exported_pm_prop) +userdebug_or_eng(`set_prop(system_server, wifi_log_prop)') + +# ctl interface +set_prop(system_server, ctl_default_prop) +set_prop(system_server, ctl_bugreport_prop) + +# cppreopt property +set_prop(system_server, cppreopt_prop) + +# BootReceiver to read ro.boot.bootreason +get_prop(system_server, bootloader_boot_reason_prop) +# PowerManager to read persist.sys.boot.reason +get_prop(system_server, last_boot_reason_prop) + +# Collect metrics on boot time created by init +get_prop(system_server, boottime_prop) + +# Read device's serial number from system properties +get_prop(system_server, serialno_prop) + +# Read/write the property which keeps track of whether this is the first start of system_server +set_prop(system_server, firstboot_prop) + +# Create a socket for connections from debuggerd. +allow system_server system_ndebug_socket:sock_file create_file_perms; + +# Manage cache files. +allow system_server cache_file:lnk_file r_file_perms; +allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; +allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; +allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; + +allow system_server system_file:dir r_dir_perms; +allow system_server system_file:lnk_file r_file_perms; + +# LocationManager(e.g, GPS) needs to read and write +# to uart driver and ctrl proc entry +allow system_server gps_control:file rw_file_perms; + +# Allow system_server to use app-created sockets and pipes. +allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; +allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; + +# BackupManagerService needs to manipulate backup data files +allow system_server cache_backup_file:dir rw_dir_perms; +allow system_server cache_backup_file:file create_file_perms; +# LocalTransport works inside /cache/backup +allow system_server cache_private_backup_file:dir create_dir_perms; +allow system_server cache_private_backup_file:file create_file_perms; + +# Allow system to talk to usb device +allow system_server usb_device:chr_file rw_file_perms; +allow system_server usb_device:dir r_dir_perms; + +# Read from HW RNG (needed by EntropyMixer). +allow system_server hw_random_device:chr_file r_file_perms; + +# Read and delete files under /dev/fscklogs. +r_dir_file(system_server, fscklogs) +allow system_server fscklogs:dir { write remove_name }; +allow system_server fscklogs:file unlink; + +# logd access, system_server inherit logd write socket +# (urge is to deprecate this long term) +allow system_server zygote:unix_dgram_socket write; + +# Read from log daemon. +read_logd(system_server) +read_runtime_log_tags(system_server) + +# Be consistent with DAC permissions. Allow system_server to write to +# /sys/module/lowmemorykiller/parameters/adj +# /sys/module/lowmemorykiller/parameters/minfree +allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; + +# Read /sys/fs/pstore/console-ramoops +# Don't worry about overly broad permissions for now, as there's +# only one file in /sys/fs/pstore +allow system_server pstorefs:dir r_dir_perms; +allow system_server pstorefs:file r_file_perms; + +# /sys access +allow system_server sysfs_zram:dir search; +allow system_server sysfs_zram:file r_file_perms; + +add_service(system_server, system_server_service); +allow system_server audioserver_service:service_manager find; +allow system_server batteryproperties_service:service_manager find; +allow system_server cameraserver_service:service_manager find; +allow system_server drmserver_service:service_manager find; +allow system_server dumpstate_service:service_manager find; +allow system_server fingerprintd_service:service_manager find; +allow system_server hal_fingerprint_service:service_manager find; +allow system_server gatekeeper_service:service_manager find; +allow system_server incident_service:service_manager find; +allow system_server installd_service:service_manager find; +allow system_server keystore_service:service_manager find; +allow system_server mediaserver_service:service_manager find; +allow system_server mediametrics_service:service_manager find; +allow system_server mediaextractor_service:service_manager find; +allow system_server mediacodec_service:service_manager find; +allow system_server mediadrmserver_service:service_manager find; +allow system_server netd_service:service_manager find; +allow system_server nfc_service:service_manager find; +allow system_server radio_service:service_manager find; +allow system_server stats_service:service_manager find; +allow system_server storaged_service:service_manager find; +allow system_server surfaceflinger_service:service_manager find; +allow system_server vold_service:service_manager find; +allow system_server wificond_service:service_manager find; + +add_service(system_server, batteryproperties_service) + +allow system_server keystore:keystore_key { + get_state + get + insert + delete + exist + list + reset + password + lock + unlock + is_empty + sign + verify + grant + duplicate + clear_uid + add_auth + user_changed +}; + +# Allow system server to search and write to the persistent factory reset +# protection partition. This block device does not get wiped in a factory reset. +allow system_server block_device:dir search; +allow system_server frp_block_device:blk_file rw_file_perms; + +# Clean up old cgroups +allow system_server cgroup:dir { remove_name rmdir }; + +# /oem access +r_dir_file(system_server, oemfs) + +# Allow resolving per-user storage symlinks +allow system_server { mnt_user_file storage_file }:dir { getattr search }; +allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; + +# Allow statfs() on storage devices, which happens fast enough that +# we shouldn't be killed during unsafe removal +allow system_server sdcard_type:dir { getattr search }; + +# Traverse into expanded storage +allow system_server mnt_expand_file:dir r_dir_perms; + +# Allow system process to relabel the fingerprint directory after mkdir +# and delete the directory and files when no longer needed +allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; +allow system_server fingerprintd_data_file:file { getattr unlink }; + +# Allow system process to read network MAC address +allow system_server sysfs_mac_address:file r_file_perms; + +userdebug_or_eng(` + # Allow system server to create and write method traces in /data/misc/trace. + allow system_server method_trace_data_file:dir w_dir_perms; + allow system_server method_trace_data_file:file { create w_file_perms }; + + # Allow system server to read dmesg + allow system_server kernel:system syslog_read; + + # Allow writing and removing window traces in /data/misc/wmtrace. + allow system_server wm_trace_data_file:dir rw_dir_perms; + allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms }; +') + +# For AppFuse. +allow system_server vold:fd use; +allow system_server fuse_device:chr_file { read write ioctl getattr }; +allow system_server app_fuse_file:dir rw_dir_perms; +allow system_server app_fuse_file:file { read write open getattr append }; + +# For configuring sdcardfs +allow system_server configfs:dir { create_dir_perms }; +allow system_server configfs:file { getattr open create unlink write }; + +# Connect to adbd and use a socket transferred from it. +# Used for e.g. jdwp. +allow system_server adbd:unix_stream_socket connectto; +allow system_server adbd:fd use; +allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; + +# Allow invoking tools like "timeout" +allow system_server toolbox_exec:file rx_file_perms; + +# Postinstall +# +# For OTA dexopt, allow calls coming from postinstall. +binder_call(system_server, postinstall) + +allow system_server postinstall:fifo_file write; +allow system_server update_engine:fd use; +allow system_server update_engine:fifo_file write; + +# Access to /data/preloads +allow system_server preloads_data_file:file { r_file_perms unlink }; +allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; +allow system_server preloads_media_file:file { r_file_perms unlink }; +allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; + +r_dir_file(system_server, cgroup) +allow system_server ion_device:chr_file r_file_perms; + +r_dir_file(system_server, proc_asound) +r_dir_file(system_server, proc_net) +r_dir_file(system_server, proc_qtaguid_stat) +allow system_server { + proc_loadavg + proc_meminfo + proc_pagetypeinfo + proc_pipe_conf + proc_stat + proc_uid_cputime_showstat + proc_uid_time_in_state + proc_uid_concurrent_active_time + proc_uid_concurrent_policy_time + proc_version + proc_vmallocinfo +}:file r_file_perms; + +allow system_server proc_uid_time_in_state:dir r_dir_perms; +allow system_server proc_uid_cpupower:file r_file_perms; + +r_dir_file(system_server, rootfs) + +# Allow WifiService to start, stop, and read wifi-specific trace events. +allow system_server debugfs_tracing_instances:dir search; +allow system_server debugfs_wifi_tracing:dir search; +allow system_server debugfs_wifi_tracing:file rw_file_perms; + +# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run +# asanwrapper. +with_asan(` + allow system_server shell_exec:file rx_file_perms; + allow system_server asanwrapper_exec:file rx_file_perms; + allow system_server zygote_exec:file rx_file_perms; +') + +# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up +# the map after snapshot is recorded +allow system_server fs_bpf:dir search; +allow system_server fs_bpf:file read; +allow system_server netd:bpf map_read; + +# ART Profiles. +# Allow system_server to open profile snapshots for read. +# System server never reads the actual content. It passes the descriptor to +# to privileged apps which acquire the permissions to inspect the profiles. +allow system_server user_profile_data_file:dir { search }; +allow system_server user_profile_data_file:file { getattr open read }; + +userdebug_or_eng(` + # Allow system server to notify mediaextractor of the plugin update. + allow system_server mediaextractor_update_service:service_manager find; +') + +# UsbDeviceManager uses /dev/usb-ffs +allow system_server functionfs:dir search; +allow system_server functionfs:file rw_file_perms; + +### +### Neverallow rules +### +### system_server should NEVER do any of this + +# Do not allow opening files from external storage as unsafe ejection +# could cause the kernel to kill the system_server. +neverallow system_server sdcard_type:dir { open read write }; +neverallow system_server sdcard_type:file rw_file_perms; + +# system server should never be operating on zygote spawned app data +# files directly. Rather, they should always be passed via a +# file descriptor. +# Types extracted from seapp_contexts type= fields, excluding +# those types that system_server needs to open directly. +neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link }; + +# Forking and execing is inherently dangerous and racy. See, for +# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them +# Prevent the addition of new file execs to stop the problem from +# getting worse. b/28035297 +neverallow system_server { + file_type + -toolbox_exec + -logcat_exec + with_asan(`-shell_exec -asanwrapper_exec -zygote_exec') +}:file execute_no_trans; + +# Ensure that system_server doesn't perform any domain transitions other than +# transitioning to the crash_dump domain when a crash occurs. +neverallow system_server { domain -crash_dump }:process transition; +neverallow system_server *:process dyntransition; + +# Only allow crash_dump to connect to system_ndebug_socket. +neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write }; + +# system_server should never be executing dex2oat. This is either +# a bug (for example, bug 16317188), or represents an attempt by +# system server to dynamically load a dex file, something we do not +# want to allow. +neverallow system_server dex2oat_exec:file no_x_file_perms; + +# system_server should never execute or load executable shared libraries +# in /data +neverallow system_server data_file_type:file no_x_file_perms; + +# The only block device system_server should be accessing is +# the frp_block_device. This helps avoid a system_server to root +# escalation by writing to raw block devices. +neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; + +# system_server should never use JIT functionality +neverallow system_server self:process execmem; +neverallow system_server ashmem_device:chr_file execute; + +# TODO: deal with tmpfs_domain pub/priv split properly +neverallow system_server system_server_tmpfs:file execute; + +# dexoptanalyzer is currently used only for secondary dex files which +# system_server should never access. +neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; + +# No ptracing others +neverallow system_server { domain -system_server }:process ptrace; + +# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID +# file read access. However, that is now unnecessary (b/34951864) +neverallow system_server system_server:global_capability_class_set sys_resource; diff --git a/prebuilts/api/28.0/private/technical_debt.cil b/prebuilts/api/28.0/private/technical_debt.cil new file mode 100644 index 000000000..7f9d315ed --- /dev/null +++ b/prebuilts/api/28.0/private/technical_debt.cil @@ -0,0 +1,38 @@ +; THIS IS A WORKAROUND for the current limitations of the module policy language +; This should be used sparingly until we figure out a saner way to achieve the +; stuff below, for example, by improving typeattribute statement of module +; language. +; +; NOTE: This file has no effect on recovery policy. + +; Apps, except isolated apps, are clients of Allocator HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_allocator_client; +; typeattribute hal_allocator_client halclientdomain; +(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app)))))) +(typeattributeset halclientdomain (hal_allocator_client)) + +; Apps, except isolated apps, are clients of Configstore HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_configstore_client; +(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app)))))) + +; Apps, except isolated apps, are clients of Graphics Allocator HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client; +(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app)))))) + +; Apps, except isolated apps, are clients of Cas HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_cas_client; +(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app)))))) + +; Domains hosting Camera HAL implementations are clients of Allocator HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute hal_camera hal_allocator_client; +(typeattributeset hal_allocator_client (hal_camera)) + +; Apps, except isolated apps, are clients of Neuralnetworks HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client; +(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app)))))) diff --git a/prebuilts/api/28.0/private/thermalserviced.te b/prebuilts/api/28.0/private/thermalserviced.te new file mode 100644 index 000000000..1a09e203e --- /dev/null +++ b/prebuilts/api/28.0/private/thermalserviced.te @@ -0,0 +1,4 @@ +typeattribute thermalserviced coredomain; + +init_daemon_domain(thermalserviced) + diff --git a/prebuilts/api/28.0/private/tombstoned.te b/prebuilts/api/28.0/private/tombstoned.te new file mode 100644 index 000000000..305f9d006 --- /dev/null +++ b/prebuilts/api/28.0/private/tombstoned.te @@ -0,0 +1,3 @@ +typeattribute tombstoned coredomain; + +init_daemon_domain(tombstoned) diff --git a/prebuilts/api/28.0/private/toolbox.te b/prebuilts/api/28.0/private/toolbox.te new file mode 100644 index 000000000..a2b958dba --- /dev/null +++ b/prebuilts/api/28.0/private/toolbox.te @@ -0,0 +1,3 @@ +typeattribute toolbox coredomain; + +init_daemon_domain(toolbox) diff --git a/prebuilts/api/28.0/private/traced.te b/prebuilts/api/28.0/private/traced.te new file mode 100644 index 000000000..49edc5174 --- /dev/null +++ b/prebuilts/api/28.0/private/traced.te @@ -0,0 +1,60 @@ +# Perfetto user-space tracing daemon (unprivileged) +type traced, domain, coredomain, mlstrustedsubject; +type traced_exec, exec_type, file_type; + +# Allow init to exec the daemon. +init_daemon_domain(traced) + +# Allow apps in other MLS contexts (for multi-user) to access +# share memory buffers created by traced. +typeattribute traced_tmpfs mlstrustedobject; + +# Allow traced to start with a lower scheduling class and change +# class accordingly to what defined in the config provided by +# the privileged process that controls it. +allow traced self:global_capability_class_set { sys_nice }; + +# Allow to pass a file descriptor for the output trace from "perfetto" (the +# cmdline client) and other shell binaries to traced and let traced write +# directly into that (rather than returning the trace contents over the socket). +allow traced perfetto:fd use; +allow traced shell:fd use; +allow traced perfetto_traces_data_file:file { read write }; + +### +### Neverallow rules +### +### traced should NEVER do any of this + +# Disallow mapping executable memory (execstack and exec are already disallowed +# globally in domain.te). +neverallow traced self:process execmem; + +# Block device access. +neverallow traced dev_type:blk_file { read write }; + +# ptrace any other process +neverallow traced domain:process ptrace; + +# Disallows access to /data files, still allowing to write to file descriptors +# passed through the socket. +neverallow traced { + data_file_type + -system_data_file + # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a + # subsequent neverallow. Currently only getattr and search are allowed. + -vendor_data_file + -zoneinfo_data_file +}:dir *; +neverallow traced { system_data_file }:dir ~{ getattr search }; +neverallow traced zoneinfo_data_file:dir ~r_dir_perms; +neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *; +neverallow traced { + data_file_type + -zoneinfo_data_file + -perfetto_traces_data_file +}:file ~write; + +# Only init is allowed to enter the traced domain via exec() +neverallow { domain -init } traced:process transition; +neverallow * traced:process dyntransition; diff --git a/prebuilts/api/28.0/private/traced_probes.te b/prebuilts/api/28.0/private/traced_probes.te new file mode 100644 index 000000000..5d80f7e8b --- /dev/null +++ b/prebuilts/api/28.0/private/traced_probes.te @@ -0,0 +1,99 @@ +# Perfetto tracing probes, has tracefs access. +type traced_probes_exec, exec_type, file_type; + +# Allow init to exec the daemon. +init_daemon_domain(traced_probes) + +# Write trace data to the Perfetto traced damon. This requires connecting to its +# producer socket and obtaining a (per-process) tmpfs fd. +allow traced_probes traced:fd use; +allow traced_probes traced_tmpfs:file { read write getattr map }; +unix_socket_connect(traced_probes, traced_producer, traced) + +# Allow traced_probes to access tracefs. +allow traced_probes debugfs_tracing:dir r_dir_perms; +allow traced_probes debugfs_tracing:file rw_file_perms; +allow traced_probes debugfs_trace_marker:file getattr; + +# TODO(primiano): temporarily I/O tracing categories are still +# userdebug only until we nail down the blacklist/whitelist. +userdebug_or_eng(` +allow traced_probes debugfs_tracing_debug:file rw_file_perms; +') + +# Allow traced_probes to start with a higher scheduling class and then downgrade +# itself. +allow traced_probes self:global_capability_class_set { sys_nice }; + +# Allow procfs access +r_dir_file(traced_probes, domain) + +# Allow to log to kernel dmesg when starting / stopping ftrace. +allow traced_probes kmsg_device:chr_file write; + +# Allow traced_probes to list the system partition. +allow traced_probes system_file:dir { open read }; + +# Allow traced_probes to list some of the data partition. +allow traced_probes self:capability dac_read_search; + +allow traced_probes apk_data_file:dir { getattr open read search }; +allow traced_probes dalvikcache_data_file:dir { getattr open read search }; +userdebug_or_eng(` +allow traced_probes system_data_file:dir { getattr open read search }; +') +allow traced_probes system_app_data_file:dir { getattr open read search }; +allow traced_probes backup_data_file:dir { getattr open read search }; +allow traced_probes bootstat_data_file:dir { getattr open read search }; +allow traced_probes update_engine_data_file:dir { getattr open read search }; +allow traced_probes update_engine_log_data_file:dir { getattr open read search }; +allow traced_probes user_profile_data_file:dir { getattr open read search }; + +# Allow traced_probes to run atrace. atrace pokes at system services to enable +# their userspace TRACE macros. +domain_auto_trans(traced_probes, atrace_exec, atrace); + +# This is needed for: path="/system/bin/linker64" +# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd +allow atrace traced_probes:fd use; + +### +### Neverallow rules +### +### traced_probes should NEVER do any of this + +# Disallow mapping executable memory (execstack and exec are already disallowed +# globally in domain.te). +neverallow traced_probes self:process execmem; + +# Block device access. +neverallow traced_probes dev_type:blk_file { read write }; + +# ptrace any other app +neverallow traced_probes domain:process ptrace; + +# Disallows access to /data files. +neverallow traced_probes { + data_file_type + -apk_data_file + -dalvikcache_data_file + -system_data_file + -system_app_data_file + -backup_data_file + -bootstat_data_file + -update_engine_data_file + -update_engine_log_data_file + -user_profile_data_file + # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a + # subsequent neverallow. Currently only getattr and search are allowed. + -vendor_data_file + -zoneinfo_data_file +}:dir *; +neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search }; +neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms; +neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *; +neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *; + +# Only init is allowed to enter the traced_probes domain via exec() +neverallow { domain -init } traced_probes:process transition; +neverallow * traced_probes:process dyntransition; diff --git a/prebuilts/api/28.0/private/traceur_app.te b/prebuilts/api/28.0/private/traceur_app.te new file mode 100644 index 000000000..a3c435ce5 --- /dev/null +++ b/prebuilts/api/28.0/private/traceur_app.te @@ -0,0 +1,15 @@ +typeattribute traceur_app coredomain; + +app_domain(traceur_app); +allow traceur_app debugfs_tracing:file rw_file_perms; +allow traceur_app debugfs_tracing_debug:dir r_dir_perms; + +userdebug_or_eng(` + allow traceur_app debugfs_tracing_debug:file rw_file_perms; +') + +allow traceur_app trace_data_file:file create_file_perms; +allow traceur_app trace_data_file:dir rw_dir_perms; +allow traceur_app atrace_exec:file rx_file_perms; + +dontaudit traceur_app debugfs_tracing_debug:file audit_access; diff --git a/prebuilts/api/28.0/private/tzdatacheck.te b/prebuilts/api/28.0/private/tzdatacheck.te new file mode 100644 index 000000000..502735cad --- /dev/null +++ b/prebuilts/api/28.0/private/tzdatacheck.te @@ -0,0 +1,3 @@ +typeattribute tzdatacheck coredomain; + +init_daemon_domain(tzdatacheck) diff --git a/prebuilts/api/28.0/private/ueventd.te b/prebuilts/api/28.0/private/ueventd.te new file mode 100644 index 000000000..1bd67735e --- /dev/null +++ b/prebuilts/api/28.0/private/ueventd.te @@ -0,0 +1,3 @@ +typeattribute ueventd coredomain; + +tmpfs_domain(ueventd) diff --git a/prebuilts/api/28.0/private/uncrypt.te b/prebuilts/api/28.0/private/uncrypt.te new file mode 100644 index 000000000..e4e9224d9 --- /dev/null +++ b/prebuilts/api/28.0/private/uncrypt.te @@ -0,0 +1,3 @@ +typeattribute uncrypt coredomain; + +init_daemon_domain(uncrypt) diff --git a/prebuilts/api/28.0/private/untrusted_app.te b/prebuilts/api/28.0/private/untrusted_app.te new file mode 100644 index 000000000..c15fa2244 --- /dev/null +++ b/prebuilts/api/28.0/private/untrusted_app.te @@ -0,0 +1,25 @@ +### +### Untrusted apps. +### +### This file defines the rules for untrusted apps. +### Apps are labeled based on mac_permissions.xml (maps signer and +### optionally package name to seinfo value) and seapp_contexts (maps UID +### and optionally seinfo value to domain for process and type for data +### directory). The untrusted_app domain is the default assignment in +### seapp_contexts for any app with UID between APP_AID (10000) +### and AID_ISOLATED_START (99000) if the app has no specific seinfo +### value as determined from mac_permissions.xml. In current AOSP, this +### domain is assigned to all non-system apps as well as to any system apps +### that are not signed by the platform key. To move +### a system app into a specific domain, add a signer entry for it to +### mac_permissions.xml and assign it one of the pre-existing seinfo values +### or define and use a new seinfo value in both mac_permissions.xml and +### seapp_contexts. +### + +typeattribute untrusted_app coredomain; + +app_domain(untrusted_app) +untrusted_app_domain(untrusted_app) +net_domain(untrusted_app) +bluetooth_domain(untrusted_app) diff --git a/prebuilts/api/28.0/private/untrusted_app_25.te b/prebuilts/api/28.0/private/untrusted_app_25.te new file mode 100644 index 000000000..ba2c1e1c7 --- /dev/null +++ b/prebuilts/api/28.0/private/untrusted_app_25.te @@ -0,0 +1,42 @@ +### +### Untrusted_app_25 +### +### This file defines the rules for untrusted apps running with +### targetSdkVersion <= 25. +### +### Apps are labeled based on mac_permissions.xml (maps signer and +### optionally package name to seinfo value) and seapp_contexts (maps UID +### and optionally seinfo value to domain for process and type for data +### directory). The untrusted_app domain is the default assignment in +### seapp_contexts for any app with UID between APP_AID (10000) +### and AID_ISOLATED_START (99000) if the app has no specific seinfo +### value as determined from mac_permissions.xml. In current AOSP, this +### domain is assigned to all non-system apps as well as to any system apps +### that are not signed by the platform key. To move +### a system app into a specific domain, add a signer entry for it to +### mac_permissions.xml and assign it one of the pre-existing seinfo values +### or define and use a new seinfo value in both mac_permissions.xml and +### seapp_contexts. +### + +typeattribute untrusted_app_25 coredomain; + +app_domain(untrusted_app_25) +untrusted_app_domain(untrusted_app_25) +net_domain(untrusted_app_25) +bluetooth_domain(untrusted_app_25) + +# b/34115651 - net.dns* properties read +# This will go away in a future Android release +get_prop(untrusted_app_25, net_dns_prop) + +# b/35917228 - /proc/misc access +# This will go away in a future Android release +allow untrusted_app_25 proc_misc:file r_file_perms; + +# Access to /proc/tty/drivers, to allow apps to determine if they +# are running in an emulated environment. +# b/33214085 b/33814662 b/33791054 b/33211769 +# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java +# This will go away in a future Android release +allow untrusted_app_25 proc_tty_drivers:file r_file_perms; diff --git a/prebuilts/api/28.0/private/untrusted_app_27.te b/prebuilts/api/28.0/private/untrusted_app_27.te new file mode 100644 index 000000000..79c776287 --- /dev/null +++ b/prebuilts/api/28.0/private/untrusted_app_27.te @@ -0,0 +1,28 @@ +### +### Untrusted_27. +### +### This file defines the rules for untrusted apps running with +### 25 < targetSdkVersion <= 27. +### +### This file defines the rules for untrusted apps. +### Apps are labeled based on mac_permissions.xml (maps signer and +### optionally package name to seinfo value) and seapp_contexts (maps UID +### and optionally seinfo value to domain for process and type for data +### directory). The untrusted_app_27 domain is the default assignment in +### seapp_contexts for any app with UID between APP_AID (10000) +### and AID_ISOLATED_START (99000) if the app has no specific seinfo +### value as determined from mac_permissions.xml. In current AOSP, this +### domain is assigned to all non-system apps as well as to any system apps +### that are not signed by the platform key. To move +### a system app into a specific domain, add a signer entry for it to +### mac_permissions.xml and assign it one of the pre-existing seinfo values +### or define and use a new seinfo value in both mac_permissions.xml and +### seapp_contexts. +### + +typeattribute untrusted_app_27 coredomain; + +app_domain(untrusted_app_27) +untrusted_app_domain(untrusted_app_27) +net_domain(untrusted_app_27) +bluetooth_domain(untrusted_app_27) diff --git a/prebuilts/api/28.0/private/untrusted_app_all.te b/prebuilts/api/28.0/private/untrusted_app_all.te new file mode 100644 index 000000000..6cf166827 --- /dev/null +++ b/prebuilts/api/28.0/private/untrusted_app_all.te @@ -0,0 +1,140 @@ +### +### Untrusted_app_all. +### +### This file defines the rules shared by all untrusted app domains except +### apps which target the v2 security sandbox (ephemeral_app for instant apps, +### untrusted_v2_app for fully installed v2 apps). +### Apps are labeled based on mac_permissions.xml (maps signer and +### optionally package name to seinfo value) and seapp_contexts (maps UID +### and optionally seinfo value to domain for process and type for data +### directory). The untrusted_app_all attribute is assigned to all default +### seapp_contexts for any app with UID between APP_AID (10000) +### and AID_ISOLATED_START (99000) if the app has no specific seinfo +### value as determined from mac_permissions.xml. In current AOSP, this +### attribute is assigned to all non-system apps as well as to any system apps +### that are not signed by the platform key. To move +### a system app into a specific domain, add a signer entry for it to +### mac_permissions.xml and assign it one of the pre-existing seinfo values +### or define and use a new seinfo value in both mac_permissions.xml and +### seapp_contexts. +### +### Note that rules that should apply to all untrusted apps must be in app.te or also +### added to untrusted_v2_app.te and ephemeral_app.te. + +# Legacy text relocations +allow untrusted_app_all apk_data_file:file execmod; + +# Some apps ship with shared libraries and binaries that they write out +# to their sandbox directory and then execute. +allow untrusted_app_all app_data_file:file { rx_file_perms execmod }; + +# ASEC +allow untrusted_app_all asec_apk_file:file r_file_perms; +allow untrusted_app_all asec_apk_file:dir r_dir_perms; +# Execute libs in asec containers. +allow untrusted_app_all asec_public_file:file { execute execmod }; + +# Used by Finsky / Android "Verify Apps" functionality when +# running "adb install foo.apk". +# TODO: Long term, we don't want apps probing into shell data files. +# Figure out a way to remove these rules. +allow untrusted_app_all shell_data_file:file r_file_perms; +allow untrusted_app_all shell_data_file:dir r_dir_perms; + +# Allow traceur to pass file descriptors through a content provider to untrusted apps +# for the purpose of sharing files through e.g. gmail +allow untrusted_app_all trace_data_file:file { getattr read }; + +# untrusted apps should not be able to open trace data files, they should depend +# upon traceur to pass a file descriptor +neverallow untrusted_app_all trace_data_file:dir *; +neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open }; + +# Allow to read staged apks. +allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr}; + +# Read and write system app data files passed over Binder. +# Motivating case was /data/data/com.android.settings/cache/*.jpg for +# cropping or taking user photos. +allow untrusted_app_all system_app_data_file:file { read write getattr }; + +# +# Rules migrated from old app domains coalesced into untrusted_app. +# This includes what used to be media_app, shared_app, and release_app. +# + +# Access to /data/media. +allow untrusted_app_all media_rw_data_file:dir create_dir_perms; +allow untrusted_app_all media_rw_data_file:file create_file_perms; + +# Traverse into /mnt/media_rw for bypassing FUSE daemon +# TODO: narrow this to just MediaProvider +allow untrusted_app_all mnt_media_rw_file:dir search; + +# allow cts to query all services +allow untrusted_app_all servicemanager:service_manager list; + +allow untrusted_app_all audioserver_service:service_manager find; +allow untrusted_app_all cameraserver_service:service_manager find; +allow untrusted_app_all drmserver_service:service_manager find; +allow untrusted_app_all mediaserver_service:service_manager find; +allow untrusted_app_all mediaextractor_service:service_manager find; +allow untrusted_app_all mediacodec_service:service_manager find; +allow untrusted_app_all mediametrics_service:service_manager find; +allow untrusted_app_all mediadrmserver_service:service_manager find; +allow untrusted_app_all nfc_service:service_manager find; +allow untrusted_app_all radio_service:service_manager find; +allow untrusted_app_all app_api_service:service_manager find; +allow untrusted_app_all vr_manager_service:service_manager find; + +# Allow GMS core to access perfprofd output, which is stored +# in /data/misc/perfprofd/. GMS core will need to list all +# data stored in that directory to process them one by one. +userdebug_or_eng(` + allow untrusted_app_all perfprofd_data_file:file r_file_perms; + allow untrusted_app_all perfprofd_data_file:dir r_dir_perms; +') + +# gdbserver for ndk-gdb ptrace attaches to app process. +allow untrusted_app_all self:process ptrace; + +# Cts: HwRngTest +allow untrusted_app_all sysfs_hwrandom:dir search; +allow untrusted_app_all sysfs_hwrandom:file r_file_perms; + +# Allow apps to view preloaded media content +allow untrusted_app_all preloads_media_file:dir r_dir_perms; +allow untrusted_app_all preloads_media_file:file r_file_perms; +allow untrusted_app_all preloads_data_file:dir search; + +# Allow untrusted apps read / execute access to /vendor/app for there can +# be pre-installed vendor apps that package a library within themselves. +# TODO (b/37784178) Consider creating a special type for /vendor/app installed +# apps. +allow untrusted_app_all vendor_app_file:dir { open getattr read search }; +allow untrusted_app_all vendor_app_file:file { open getattr read execute }; +allow untrusted_app_all vendor_app_file:lnk_file { open getattr read }; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +allow untrusted_app_all traced:fd use; +allow untrusted_app_all traced_tmpfs:file { read write getattr map }; +unix_socket_connect(untrusted_app_all, traced_producer, traced) + +# allow untrusted apps to use UDP sockets provided by the system server but not +# modify them other than to connect +allow untrusted_app_all system_server:udp_socket { + connect getattr read recvfrom sendto write getopt setopt }; + +# Allow the allocation and use of ptys +# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm +create_pty(untrusted_app_all) + +# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions. +dontaudit untrusted_app_all net_dns_prop:file read; + +# These have been disallowed since Android O. +# For P, we assume that apps are safely handling the denial. +dontaudit untrusted_app_all proc_stat:file read; +dontaudit untrusted_app_all proc_vmstat:file read; +dontaudit untrusted_app_all proc_uptime:file read; diff --git a/prebuilts/api/28.0/private/untrusted_v2_app.te b/prebuilts/api/28.0/private/untrusted_v2_app.te new file mode 100644 index 000000000..8f4bceb2c --- /dev/null +++ b/prebuilts/api/28.0/private/untrusted_v2_app.te @@ -0,0 +1,47 @@ +### +### Untrusted v2 sandbox apps. +### + +typeattribute untrusted_v2_app coredomain; + +app_domain(untrusted_v2_app) +net_domain(untrusted_v2_app) +bluetooth_domain(untrusted_v2_app) + +# Read and write system app data files passed over Binder. +# Motivating case was /data/data/com.android.settings/cache/*.jpg for +# cropping or taking user photos. +allow untrusted_v2_app system_app_data_file:file { read write getattr }; + +# Access to /data/media. +allow untrusted_v2_app media_rw_data_file:dir create_dir_perms; +allow untrusted_v2_app media_rw_data_file:file create_file_perms; + +# Traverse into /mnt/media_rw for bypassing FUSE daemon +# TODO: narrow this to just MediaProvider +allow untrusted_v2_app mnt_media_rw_file:dir search; + +# allow cts to query all services +allow untrusted_v2_app servicemanager:service_manager list; + +allow untrusted_v2_app audioserver_service:service_manager find; +allow untrusted_v2_app cameraserver_service:service_manager find; +allow untrusted_v2_app drmserver_service:service_manager find; +allow untrusted_v2_app mediaserver_service:service_manager find; +allow untrusted_v2_app mediaextractor_service:service_manager find; +allow untrusted_v2_app mediacodec_service:service_manager find; +allow untrusted_v2_app mediametrics_service:service_manager find; +allow untrusted_v2_app mediadrmserver_service:service_manager find; +allow untrusted_v2_app nfc_service:service_manager find; +allow untrusted_v2_app radio_service:service_manager find; +# TODO: potentially provide a tighter list of services here +allow untrusted_v2_app app_api_service:service_manager find; + +# gdbserver for ndk-gdb ptrace attaches to app process. +allow untrusted_v2_app self:process ptrace; + +# Write app-specific trace data to the Perfetto traced damon. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +allow untrusted_v2_app traced:fd use; +allow untrusted_v2_app traced_tmpfs:file { read write getattr map }; +unix_socket_connect(untrusted_v2_app, traced_producer, traced) diff --git a/prebuilts/api/28.0/private/update_engine.te b/prebuilts/api/28.0/private/update_engine.te new file mode 100644 index 000000000..5af7db681 --- /dev/null +++ b/prebuilts/api/28.0/private/update_engine.te @@ -0,0 +1,3 @@ +typeattribute update_engine coredomain; + +init_daemon_domain(update_engine); diff --git a/prebuilts/api/28.0/private/update_engine_common.te b/prebuilts/api/28.0/private/update_engine_common.te new file mode 100644 index 000000000..a7fb58471 --- /dev/null +++ b/prebuilts/api/28.0/private/update_engine_common.te @@ -0,0 +1,5 @@ +# type_transition must be private policy the domain_trans rules could stay +# public, but conceptually should go with this +# The postinstall program is run by update_engine_common and will always be tagged as a +# postinstall_file regardless of its attributes in the new system. +domain_auto_trans(update_engine_common, postinstall_file, postinstall) diff --git a/prebuilts/api/28.0/private/update_verifier.te b/prebuilts/api/28.0/private/update_verifier.te new file mode 100644 index 000000000..1b934d980 --- /dev/null +++ b/prebuilts/api/28.0/private/update_verifier.te @@ -0,0 +1,3 @@ +typeattribute update_verifier coredomain; + +init_daemon_domain(update_verifier) diff --git a/prebuilts/api/28.0/private/usbd.te b/prebuilts/api/28.0/private/usbd.te new file mode 100644 index 000000000..13a0ad7a6 --- /dev/null +++ b/prebuilts/api/28.0/private/usbd.te @@ -0,0 +1,12 @@ +typeattribute usbd coredomain; + +init_daemon_domain(usbd) + +# Access usb gadget hal +hal_client_domain(usbd, hal_usb_gadget) + +# Access persist.sys.usb.config +get_prop(usbd, system_prop) + +# start adbd during boot if adb is enabled +set_prop(usbd, ctl_default_prop) diff --git a/prebuilts/api/28.0/private/users b/prebuilts/api/28.0/private/users new file mode 100644 index 000000000..51b7b57e6 --- /dev/null +++ b/prebuilts/api/28.0/private/users @@ -0,0 +1 @@ +user u roles { r } level s0 range s0 - mls_systemhigh; diff --git a/prebuilts/api/28.0/private/vdc.te b/prebuilts/api/28.0/private/vdc.te new file mode 100644 index 000000000..bc7409eee --- /dev/null +++ b/prebuilts/api/28.0/private/vdc.te @@ -0,0 +1,3 @@ +typeattribute vdc coredomain; + +init_daemon_domain(vdc) diff --git a/prebuilts/api/28.0/private/vendor_init.te b/prebuilts/api/28.0/private/vendor_init.te new file mode 100644 index 000000000..50efc22d6 --- /dev/null +++ b/prebuilts/api/28.0/private/vendor_init.te @@ -0,0 +1,4 @@ +# Creating files on sysfs is impossible so this isn't a threat +# Sometimes we have to write to non-existent files to avoid conditional +# init behavior. See b/35303861 for an example. +dontaudit vendor_init sysfs:dir write; diff --git a/prebuilts/api/28.0/private/virtual_touchpad.te b/prebuilts/api/28.0/private/virtual_touchpad.te new file mode 100644 index 000000000..e735172fe --- /dev/null +++ b/prebuilts/api/28.0/private/virtual_touchpad.te @@ -0,0 +1,3 @@ +typeattribute virtual_touchpad coredomain; + +init_daemon_domain(virtual_touchpad) diff --git a/prebuilts/api/28.0/private/vold.te b/prebuilts/api/28.0/private/vold.te new file mode 100644 index 000000000..a6d1001d1 --- /dev/null +++ b/prebuilts/api/28.0/private/vold.te @@ -0,0 +1,19 @@ +typeattribute vold coredomain; + +init_daemon_domain(vold) + +# Switch to more restrictive domains when executing common tools +domain_auto_trans(vold, sgdisk_exec, sgdisk); +domain_auto_trans(vold, sdcardd_exec, sdcardd); + +# For a handful of probing tools, we choose an even more restrictive +# domain when working with untrusted block devices +domain_trans(vold, shell_exec, blkid); +domain_trans(vold, shell_exec, blkid_untrusted); +domain_trans(vold, fsck_exec, fsck); +domain_trans(vold, fsck_exec, fsck_untrusted); + +# Newly created storage dirs are always treated as mount stubs to prevent us +# from accidentally writing when the mount point isn't present. +type_transition vold storage_file:dir storage_stub_file; +type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file; diff --git a/prebuilts/api/28.0/private/vold_prepare_subdirs.te b/prebuilts/api/28.0/private/vold_prepare_subdirs.te new file mode 100644 index 000000000..f93057e60 --- /dev/null +++ b/prebuilts/api/28.0/private/vold_prepare_subdirs.te @@ -0,0 +1,19 @@ +domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs) + +allow vold_prepare_subdirs system_file:file execute_no_trans; +allow vold_prepare_subdirs shell_exec:file rx_file_perms; +allow vold_prepare_subdirs toolbox_exec:file rx_file_perms; +allow vold_prepare_subdirs devpts:chr_file rw_file_perms; +allow vold_prepare_subdirs vold:fd use; +allow vold_prepare_subdirs vold:fifo_file { read write }; +allow vold_prepare_subdirs file_contexts_file:file r_file_perms; +allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override }; +allow vold_prepare_subdirs self:process setfscreate; +allow vold_prepare_subdirs { + system_data_file + vendor_data_file +}:dir { open read write add_name remove_name }; +allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir }; +allow vold_prepare_subdirs vold_data_file:file { getattr unlink }; +allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms; +allow vold_prepare_subdirs fingerprint_vendor_data_file:dir create_dir_perms; diff --git a/prebuilts/api/28.0/private/vr_hwc.te b/prebuilts/api/28.0/private/vr_hwc.te new file mode 100644 index 000000000..053c03d98 --- /dev/null +++ b/prebuilts/api/28.0/private/vr_hwc.te @@ -0,0 +1,6 @@ +typeattribute vr_hwc coredomain; + +# Daemon started by init. +init_daemon_domain(vr_hwc) + +hal_server_domain(vr_hwc, hal_graphics_composer) diff --git a/prebuilts/api/28.0/private/watchdogd.te b/prebuilts/api/28.0/private/watchdogd.te new file mode 100644 index 000000000..36dd30fd7 --- /dev/null +++ b/prebuilts/api/28.0/private/watchdogd.te @@ -0,0 +1 @@ +typeattribute watchdogd coredomain; diff --git a/prebuilts/api/28.0/private/webview_zygote.te b/prebuilts/api/28.0/private/webview_zygote.te new file mode 100644 index 000000000..55b268a30 --- /dev/null +++ b/prebuilts/api/28.0/private/webview_zygote.te @@ -0,0 +1,140 @@ +# webview_zygote is an auxiliary zygote process that is used to spawn +# isolated_app processes for rendering untrusted web content. + +typeattribute webview_zygote coredomain; + +# The webview_zygote needs to be able to transition domains. +typeattribute webview_zygote mlstrustedsubject; + +# Allow access to temporary files, which is normally permitted through +# a domain macro. +tmpfs_domain(webview_zygote); + +# Allow reading/executing installed binaries to enable preloading the +# installed WebView implementation. +allow webview_zygote apk_data_file:dir r_dir_perms; +allow webview_zygote apk_data_file:file { r_file_perms execute }; + +# Access to the WebView relro file. +allow webview_zygote shared_relro_file:dir search; +allow webview_zygote shared_relro_file:file r_file_perms; + +# Set the UID/GID of the process. +allow webview_zygote self:global_capability_class_set { setgid setuid }; +# Drop capabilities from bounding set. +allow webview_zygote self:global_capability_class_set setpcap; +# Switch SELinux context to app domains. +allow webview_zygote self:process setcurrent; +allow webview_zygote isolated_app:process dyntransition; + +# For art. +allow webview_zygote dalvikcache_data_file:dir r_dir_perms; +allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms; +allow webview_zygote dalvikcache_data_file:file { r_file_perms execute }; + +# Allow webview_zygote to stat the files that it opens. It must +# be able to inspect them so that it can reopen them on fork +# if necessary: b/30963384. +allow webview_zygote debugfs_trace_marker:file getattr; + +# Allow webview_zygote to manage the pgroup of its children. +allow webview_zygote system_server:process getpgid; + +# Interaction between the webview_zygote and its children. +allow webview_zygote isolated_app:process setpgid; + +# TODO (b/63631799) fix this access +# Suppress denials to storage. Webview zygote should not be accessing. +dontaudit webview_zygote mnt_expand_file:dir getattr; + +# TODO (b/72957399) remove this when webview_zygote is reparented to +# app_process zygote +dontaudit webview_zygote dex2oat_exec:file execute; + +# Get seapp_contexts +allow webview_zygote seapp_contexts_file:file r_file_perms; +# Check validity of SELinux context before use. +selinux_check_context(webview_zygote) +# Check SELinux permissions. +selinux_check_access(webview_zygote) + +# Directory listing in /system. +allow webview_zygote system_file:dir r_dir_perms; + +# Read system properties managed by zygote. +allow webview_zygote zygote_tmpfs:file read; +# Child of zygote. +allow webview_zygote zygote:fd use; +allow webview_zygote zygote:process sigchld; + +# Allow apps access to /vendor/overlay +r_dir_file(webview_zygote, vendor_overlay_file) + +##### +##### Neverallow +##### + +# Only permit transition to isolated_app. +neverallow webview_zygote { domain -isolated_app }:process dyntransition; + +# Only setcon() transitions, no exec() based transitions, except for crash_dump. +neverallow webview_zygote { domain -crash_dump }:process transition; + +# Must not exec() a program without changing domains. +# Having said that, exec() above is not allowed. +neverallow webview_zygote *:file execute_no_trans; + +# The only way to enter this domain is for the zygote to fork a new +# webview_zygote child. +neverallow { domain -zygote } webview_zygote:process dyntransition; + +# Disallow write access to properties. +neverallow webview_zygote property_socket:sock_file write; +neverallow webview_zygote property_type:property_service set; + +# Should not have any access to app data files. +neverallow webview_zygote { + app_data_file + system_app_data_file + bluetooth_data_file + nfc_data_file + radio_data_file + shell_data_file +}:file { rwx_file_perms }; + +neverallow webview_zygote { + service_manager_type + -activity_service + -webviewupdate_service +}:service_manager find; + +# Isolated apps shouldn't be able to access the driver directly. +neverallow webview_zygote gpu_device:chr_file { rwx_file_perms }; + +# Do not allow webview_zygote access to /cache. +neverallow webview_zygote cache_file:dir ~{ r_dir_perms }; +neverallow webview_zygote cache_file:file ~{ read getattr }; + +# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket, +# unix_stream_socket, and netlink_selinux_socket. +neverallow webview_zygote domain:{ + socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket + appletalk_socket netlink_route_socket netlink_tcpdiag_socket + netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket + netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket + netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket + netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket + sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket + x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket + pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket + rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket + alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket +} *; + +# Do not allow access to Bluetooth-related system properties. +# neverallow rules for Bluetooth-related data files are listed above. +neverallow webview_zygote { + bluetooth_a2dp_offload_prop + bluetooth_prop + exported_bluetooth_prop +}:file create_file_perms; diff --git a/prebuilts/api/28.0/private/wificond.te b/prebuilts/api/28.0/private/wificond.te new file mode 100644 index 000000000..cc7644745 --- /dev/null +++ b/prebuilts/api/28.0/private/wificond.te @@ -0,0 +1,4 @@ +typeattribute wificond coredomain; + +init_daemon_domain(wificond) +hal_client_domain(wificond, hal_wifi_offload) diff --git a/prebuilts/api/28.0/private/wpantund.te b/prebuilts/api/28.0/private/wpantund.te new file mode 100644 index 000000000..e91662cb7 --- /dev/null +++ b/prebuilts/api/28.0/private/wpantund.te @@ -0,0 +1,3 @@ +typeattribute wpantund coredomain; + +init_daemon_domain(wpantund) diff --git a/prebuilts/api/28.0/private/zygote.te b/prebuilts/api/28.0/private/zygote.te new file mode 100644 index 000000000..2dcbdf1aa --- /dev/null +++ b/prebuilts/api/28.0/private/zygote.te @@ -0,0 +1,140 @@ +# zygote +typeattribute zygote coredomain; +typeattribute zygote mlstrustedsubject; + +init_daemon_domain(zygote) + +read_runtime_log_tags(zygote) + +# Override DAC on files and switch uid/gid. +allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown }; + +# Drop capabilities from bounding set. +allow zygote self:global_capability_class_set setpcap; + +# Switch SELinux context to app domains. +allow zygote self:process setcurrent; +allow zygote system_server:process dyntransition; +allow zygote appdomain:process dyntransition; +allow zygote webview_zygote:process dyntransition; + +# Allow zygote to read app /proc/pid dirs (b/10455872). +allow zygote appdomain:dir { getattr search }; +allow zygote appdomain:file { r_file_perms }; + +# Move children into the peer process group. +allow zygote system_server:process { getpgid setpgid }; +allow zygote appdomain:process { getpgid setpgid }; +allow zygote webview_zygote:process { getpgid setpgid }; + +# Read system data. +allow zygote system_data_file:dir r_dir_perms; +allow zygote system_data_file:file r_file_perms; + +# Write to /data/dalvik-cache. +allow zygote dalvikcache_data_file:dir create_dir_perms; +allow zygote dalvikcache_data_file:file create_file_perms; + +# Create symlinks in /data/dalvik-cache. +allow zygote dalvikcache_data_file:lnk_file create_file_perms; + +# Write to /data/resource-cache. +allow zygote resourcecache_data_file:dir rw_dir_perms; +allow zygote resourcecache_data_file:file create_file_perms; + +# When WITH_DEXPREOPT is true, the zygote does not load executable content from +# /data/dalvik-cache. +allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute; + +# Execute idmap and dex2oat within zygote's own domain. +# TODO: Should either of these be transitioned to the same domain +# used by installd or stay in-domain for zygote? +allow zygote idmap_exec:file rx_file_perms; +allow zygote dex2oat_exec:file rx_file_perms; + +# Allow apps access to /vendor/overlay +r_dir_file(zygote, vendor_overlay_file) + +# Control cgroups. +allow zygote cgroup:dir create_dir_perms; +allow zygote cgroup:{ file lnk_file } r_file_perms; +allow zygote self:global_capability_class_set sys_admin; + +# Allow zygote to stat the files that it opens. The zygote must +# be able to inspect them so that it can reopen them on fork +# if necessary: b/30963384. +allow zygote pmsg_device:chr_file getattr; +allow zygote debugfs_trace_marker:file getattr; + +# Get seapp_contexts +allow zygote seapp_contexts_file:file r_file_perms; +# Check validity of SELinux context before use. +selinux_check_context(zygote) +# Check SELinux permissions. +selinux_check_access(zygote) + +# Native bridge functionality requires that zygote replaces +# /proc/cpuinfo with /system/lib//cpuinfo using a bind mount +allow zygote proc_cpuinfo:file mounton; + +# Allow remounting rootfs as MS_SLAVE. +allow zygote rootfs:dir mounton; +allow zygote tmpfs:filesystem { mount unmount }; +allow zygote fuse:filesystem { unmount }; +allow zygote sdcardfs:filesystem { unmount }; + +# Allow creating user-specific storage source if started before vold. +allow zygote mnt_user_file:dir create_dir_perms; +allow zygote mnt_user_file:lnk_file create_file_perms; +# Allowed to mount user-specific storage into place +allow zygote storage_file:dir { search mounton }; + +# Handle --invoke-with command when launching Zygote with a wrapper command. +allow zygote zygote_exec:file rx_file_perms; + +# Read access to pseudo filesystems. +r_dir_file(zygote, proc_net) + +# Root fs. +r_dir_file(zygote, rootfs) + +# System file accesses. +r_dir_file(zygote, system_file) + +userdebug_or_eng(` + # Allow zygote to create and write method traces in /data/misc/trace. + allow zygote method_trace_data_file:dir w_dir_perms; + allow zygote method_trace_data_file:file { create w_file_perms }; +') + +allow zygote ion_device:chr_file r_file_perms; +allow zygote tmpfs:dir r_dir_perms; + +# Let the zygote access overlays so it can initialize the AssetManager. +get_prop(zygote, overlay_prop) +get_prop(zygote, exported_overlay_prop) + +### +### neverallow rules +### + +# Ensure that all types assigned to app processes are included +# in the appdomain attribute, so that all allow and neverallow rules +# written on appdomain are applied to all app processes. +# This is achieved by ensuring that it is impossible for zygote to +# setcon (dyntransition) to any types other than those associated +# with appdomain plus system_server and webview_zygote. +neverallow zygote ~{ appdomain system_server webview_zygote }:process dyntransition; + +# Zygote should never execute anything from /data except for /data/dalvik-cache files. +neverallow zygote { + data_file_type + -dalvikcache_data_file # map PROT_EXEC +}:file no_x_file_perms; + +# Do not allow access to Bluetooth-related system properties and files +neverallow zygote { + bluetooth_a2dp_offload_prop + bluetooth_prop + exported_bluetooth_prop +}:file create_file_perms; diff --git a/prebuilts/api/28.0/public/adbd.te b/prebuilts/api/28.0/public/adbd.te new file mode 100644 index 000000000..95854c01e --- /dev/null +++ b/prebuilts/api/28.0/public/adbd.te @@ -0,0 +1,4 @@ +# adbd seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type adbd, domain; +type adbd_exec, exec_type, file_type; diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te new file mode 100644 index 000000000..5df558e39 --- /dev/null +++ b/prebuilts/api/28.0/public/app.te @@ -0,0 +1,582 @@ +### +### Domain for all zygote spawned apps +### +### This file is the base policy for all zygote spawned apps. +### Other policy files, such as isolated_app.te, untrusted_app.te, etc +### extend from this policy. Only policies which should apply to ALL +### zygote spawned apps should be added here. +### + +# WebView and other application-specific JIT compilers +allow appdomain self:process execmem; + +allow appdomain ashmem_device:chr_file execute; + +# Receive and use open file descriptors inherited from zygote. +allow appdomain zygote:fd use; + +# gdbserver for ndk-gdb reads the zygote. +# valgrind needs mmap exec for zygote +allow appdomain zygote_exec:file rx_file_perms; + +# Notify zygote of death; +allow appdomain zygote:process sigchld; + +# Place process into foreground / background +allow appdomain cgroup:dir { search write }; +allow appdomain cgroup:file rw_file_perms; + +# Read /data/dalvik-cache. +allow appdomain dalvikcache_data_file:dir { search getattr }; +allow appdomain dalvikcache_data_file:file r_file_perms; + +# Read the /sdcard and /mnt/sdcard symlinks +allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms; +allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms; + +# Search /storage/emulated tmpfs mount. +allow appdomain tmpfs:dir r_dir_perms; + +# Notify zygote of the wrapped process PID when using --invoke-with. +allow appdomain zygote:fifo_file write; + +userdebug_or_eng(` + # Allow apps to create and write method traces in /data/misc/trace. + allow appdomain method_trace_data_file:dir w_dir_perms; + allow appdomain method_trace_data_file:file { create w_file_perms }; +') + +# Notify shell and adbd of death when spawned via runas for ndk-gdb. +allow appdomain shell:process sigchld; +allow appdomain adbd:process sigchld; + +# child shell or gdbserver pty access for runas. +allow appdomain devpts:chr_file { getattr read write ioctl }; + +# Use pipes and sockets provided by system_server via binder or local socket. +allow appdomain system_server:fd use; +allow appdomain system_server:fifo_file rw_file_perms; +allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; +allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; + +# Communication with other apps via fifos +allow appdomain appdomain:fifo_file rw_file_perms; + +# Communicate with surfaceflinger. +allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; + +# App sandbox file accesses. +allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; +allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; + +# Traverse into expanded storage +allow appdomain mnt_expand_file:dir r_dir_perms; + +# Keychain and user-trusted credentials +r_dir_file(appdomain, keychain_data_file) +allow appdomain misc_user_data_file:dir r_dir_perms; +allow appdomain misc_user_data_file:file r_file_perms; + +# TextClassifier +r_dir_file({ appdomain -isolated_app }, textclassifier_data_file) + +# Access to OEM provided data and apps +allow appdomain oemfs:dir r_dir_perms; +allow appdomain oemfs:file rx_file_perms; + +# Execute the shell or other system executables. +allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms; +allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms; +allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms; +not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;') + +# Renderscript needs the ability to read directories on /system +allow appdomain system_file:dir r_dir_perms; +allow appdomain system_file:lnk_file { getattr open read }; +# Renderscript specific permissions to open /system/vendor/lib64. +not_full_treble(` + allow appdomain vendor_file_type:dir r_dir_perms; + allow appdomain vendor_file_type:lnk_file { getattr open read }; +') + +full_treble_only(` + # For looking up Renderscript vendor drivers + allow { appdomain -isolated_app } vendor_file:dir { open read }; +') + +# Allow apps access to /vendor/app except for privileged +# apps which cannot be in /vendor. +r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file) +allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute; + +# Allow apps access to /vendor/overlay +r_dir_file(appdomain, vendor_overlay_file) + +# Allow apps access to /vendor/framework +# for vendor provided libraries. +r_dir_file(appdomain, vendor_framework_file) + +# Execute dex2oat when apps call dexclassloader +allow appdomain dex2oat_exec:file rx_file_perms; + +# Read/write wallpaper file (opened by system). +allow appdomain wallpaper_file:file { getattr read write }; + +# Read/write cached ringtones (opened by system). +allow appdomain ringtone_file:file { getattr read write }; + +# Read ShortcutManager icon files (opened by system). +allow appdomain shortcut_manager_icons:file { getattr read }; + +# Read icon file (opened by system). +allow appdomain icon_file:file { getattr read }; + +# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt). +# +# TODO: All of these permissions except for anr_data_file:file append can be +# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548 +# and the rules below. +allow appdomain anr_data_file:dir search; +allow appdomain anr_data_file:file { open append }; + +# New stack dumping scheme : request an output FD from tombstoned via a unix +# domain socket. +# +# Allow apps to connect and write to the tombstoned java trace socket in +# order to dump their traces. Also allow them to append traces to pipes +# created by dumptrace. (Also see the rules below where they are given +# additional permissions to dumpstate pipes for other aspects of bug report +# creation). +unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned) +allow appdomain tombstoned:fd use; +allow appdomain dumpstate:fifo_file append; +allow appdomain incidentd:fifo_file append; + +# Allow apps to send dump information to dumpstate +allow appdomain dumpstate:fd use; +allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; +allow appdomain dumpstate:fifo_file { write getattr }; +allow appdomain shell_data_file:file { write getattr }; + +# Allow apps to send dump information to incidentd +allow appdomain incidentd:fd use; +allow appdomain incidentd:fifo_file { write getattr }; + +# Write profiles /data/misc/profiles +allow appdomain user_profile_data_file:dir { search write add_name }; +allow appdomain user_profile_data_file:file create_file_perms; + +# Send heap dumps to system_server via an already open file descriptor +# % adb shell am set-watch-heap com.android.systemui 1048576 +# % adb shell dumpsys procstats --start-testing +# debuggable builds only. +userdebug_or_eng(` + allow appdomain heapdump_data_file:file append; +') + +# Write to /proc/net/xt_qtaguid/ctrl file. +allow { + untrusted_app_25 + untrusted_app_27 + ephemeral_app + priv_app + system_app + platform_app + shell +} qtaguid_proc:file rw_file_perms; +r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net) +# read /proc/net/xt_qtguid/*stat* to per-app network data usage. +# Exclude isolated app which may not use network sockets. +r_dir_file({ + untrusted_app_25 + untrusted_app_27 + ephemeral_app + priv_app + system_app + platform_app + shell +}, proc_qtaguid_stat) +# Everybody can read the xt_qtaguid resource tracking misc dev. +# So allow all apps to read from /dev/xt_qtaguid. +allow { + untrusted_app_25 + untrusted_app_27 + ephemeral_app + priv_app + system_app + platform_app + shell +} qtaguid_device:chr_file r_file_perms; + +# Grant GPU access to all processes started by Zygote. +# They need that to render the standard UI. +allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; + +# Use the Binder. +binder_use(appdomain) +# Perform binder IPC to binder services. +binder_call(appdomain, binderservicedomain) +# Perform binder IPC to other apps. +binder_call(appdomain, appdomain) +# Perform binder IPC to ephemeral apps. +binder_call(appdomain, ephemeral_app) + +# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized +# as OMX HAL +hwbinder_use({ appdomain -isolated_app }) +allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find; +allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find; +allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find; + +# Talk with graphics composer fences +allow appdomain hal_graphics_composer:fd use; + +# Already connected, unnamed sockets being passed over some other IPC +# hence no sock_file or connectto permission. This appears to be how +# Chrome works, may need to be updated as more apps using isolated services +# are examined. +allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; + +# Backup ability for every app. BMS opens and passes the fd +# to any app that has backup ability. Hence, no open permissions here. +allow appdomain backup_data_file:file { read write getattr }; +allow appdomain cache_backup_file:file { read write getattr }; +allow appdomain cache_backup_file:dir getattr; +# Backup ability using 'adb backup' +allow appdomain system_data_file:lnk_file r_file_perms; +allow appdomain system_data_file:file { getattr read }; + +# Allow read/stat of /data/media files passed by Binder or local socket IPC. +allow { appdomain -isolated_app } media_rw_data_file:file { read getattr }; + +# Read and write /data/data/com.android.providers.telephony files passed over Binder. +allow { appdomain -isolated_app } radio_data_file:file { read write getattr }; + +# Allow access to external storage; we have several visible mount points under /storage +# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary +allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms; +allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms; +allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms; +allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms; + +# Read/write visible storage +allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms; +allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms; +allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms; +allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms; +# This should be removed if sdcardfs is modified to alter the secontext for its +# accesses to the underlying FS. +allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms; +allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms; + +# Access OBBs (vfat images) mounted by vold (b/17633509) +# File write access allowed for FDs returned through Storage Access Framework +allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms; +allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms; + +# Allow apps to use the USB Accessory interface. +# http://developer.android.com/guide/topics/connectivity/usb/accessory.html +# +# USB devices are first opened by the system server (USBDeviceManagerService) +# and the file descriptor is passed to the right Activity via binder. +allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl }; +allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr }; + +# For art. +allow appdomain dalvikcache_data_file:file execute; +allow appdomain dalvikcache_data_file:lnk_file r_file_perms; + +# Allow any app to read shared RELRO files. +allow appdomain shared_relro_file:dir search; +allow appdomain shared_relro_file:file r_file_perms; + +# Allow apps to read/execute installed binaries +allow appdomain apk_data_file:dir r_dir_perms; +allow appdomain apk_data_file:file rx_file_perms; + +# /data/resource-cache +allow appdomain resourcecache_data_file:file r_file_perms; +allow appdomain resourcecache_data_file:dir r_dir_perms; + +# logd access +read_logd(appdomain) +control_logd({ appdomain -ephemeral_app untrusted_v2_app }) +# application inherit logd write socket (urge is to deprecate this long term) +allow appdomain zygote:unix_dgram_socket write; + +allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; + +use_keystore({ appdomain -isolated_app -ephemeral_app }) + +allow appdomain console_device:chr_file { read write }; + +# only allow unprivileged socket ioctl commands +allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } + ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; + +allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; +# TODO is write really necessary ? +auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append }; + +# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx) +get_prop({ appdomain -isolated_app }, hwservicemanager_prop); + +# Allow app access to mediacodec (IOMX HAL) +binder_call({ appdomain -isolated_app }, mediacodec) + +# Allow AAudio apps to use shared memory file descriptors from the HAL +allow { appdomain -isolated_app } hal_audio:fd use; + +# Allow app to access shared memory created by camera HAL1 +allow { appdomain -isolated_app } hal_camera:fd use; + +# RenderScript always-passthrough HAL +allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find; + +# TODO: switch to meminfo service +allow appdomain proc_meminfo:file r_file_perms; + +# For app fuse. +allow appdomain app_fuse_file:file { getattr read append write }; + +pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client) +pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager) +pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync) +pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client) +# Apps do not directly open the IPC socket for bufferhubd. +pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client) + +### +### CTS-specific rules +### + +# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. +# testRunAsHasCorrectCapabilities +allow appdomain runas_exec:file getattr; +# Others are either allowed elsewhere or not desired. + +# Apps receive an open tun fd from the framework for +# device traffic. Do not allow untrusted app to directly open tun_device +allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append }; + +# Connect to adbd and use a socket transferred from it. +# This is used for e.g. adb backup/restore. +allow appdomain adbd:unix_stream_socket connectto; +allow appdomain adbd:fd use; +allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; + +allow appdomain cache_file:dir getattr; + +# Allow apps to run with asanwrapper. +with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;') + +### +### Neverallow rules +### +### These are things that Android apps should NEVER be able to do +### + +# Superuser capabilities. +# bluetooth requires net_admin and wake_alarm. +neverallow { appdomain -bluetooth } self:capability_class_set *; + +# Block device access. +neverallow appdomain dev_type:blk_file { read write }; + +# Access to any of the following character devices. +neverallow appdomain { + audio_device + camera_device + dm_device + radio_device + rpmsg_device + video_device +}:chr_file { read write }; + +# Note: Try expanding list of app domains in the future. +neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; + +neverallow { appdomain -nfc } nfc_device:chr_file + { read write }; +neverallow { appdomain -bluetooth } hci_attach_dev:chr_file + { read write }; +neverallow appdomain tee_device:chr_file { read write }; + +# Privileged netlink socket interfaces. +neverallow appdomain + domain:{ + netlink_tcpdiag_socket + netlink_nflog_socket + netlink_xfrm_socket + netlink_audit_socket + netlink_dnrt_socket + } *; + +# These messages are broadcast messages from the kernel to userspace. +# Do not allow the writing of netlink messages, which has been a source +# of rooting vulns in the past. +neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; + +# Sockets under /dev/socket that are not specifically typed. +neverallow appdomain socket_device:sock_file write; + +# Unix domain sockets. +neverallow appdomain adbd_socket:sock_file write; +neverallow { appdomain -radio } rild_socket:sock_file write; +neverallow appdomain zygote_socket:sock_file write; + +# ptrace access to non-app domains. +neverallow appdomain { domain -appdomain }:process ptrace; + +# Read or write access to /proc/pid entries for any non-app domain. +# A different form of hidepid=2 like protections +neverallow appdomain { domain -appdomain }:file no_w_file_perms; +neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms; + +# signal access to non-app domains. +# sigchld allowed for parent death notification. +# signull allowed for kill(pid, 0) existence test. +# All others prohibited. +neverallow appdomain { domain -appdomain }:process + { sigkill sigstop signal }; + +# Transition to a non-app domain. +# Exception for the shell and su domains, can transition to runas, etc. +# Exception for crash_dump. +neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process + { transition }; +neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process + { dyntransition }; + +# Write to rootfs. +neverallow appdomain rootfs:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + +# Write to /system. +neverallow appdomain system_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + +# Write to entrypoint executables. +neverallow appdomain exec_type:file + { create write setattr relabelfrom relabelto append unlink link rename }; + +# Write to system-owned parts of /data. +# This is the default type for anything under /data not otherwise +# specified in file_contexts. Define a different type for portions +# that should be writable by apps. +neverallow appdomain system_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + +# Write to various other parts of /data. +neverallow appdomain drm_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -platform_app } + apk_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -platform_app } + apk_tmp_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -platform_app } + apk_private_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -platform_app } + apk_private_tmp_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -shell } + shell_data_file:dir_file_class_set + { create setattr relabelfrom relabelto append unlink link rename }; +neverallow { appdomain -bluetooth } + bluetooth_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow appdomain + keystore_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow appdomain + systemkeys_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow appdomain + wifi_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; +neverallow appdomain + dhcp_data_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + +# access tmp apk files +neverallow { appdomain -untrusted_app_all -platform_app -priv_app } + { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *; + +neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *; +neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read }; + +# Access to factory files. +neverallow appdomain efs_file:dir_file_class_set write; +neverallow { appdomain -shell } efs_file:dir_file_class_set read; + +# Write to various pseudo file systems. +neverallow { appdomain -bluetooth -nfc } + sysfs:dir_file_class_set write; +neverallow appdomain + proc:dir_file_class_set write; + +# Access to syslog(2) or /proc/kmsg. +neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console }; + +# SELinux is not an API for apps to use +neverallow { appdomain -shell } *:security { compute_av check_context }; +neverallow { appdomain -shell } *:netlink_selinux_socket *; + +# Ability to perform any filesystem operation other than statfs(2). +# i.e. no mount(2), unmount(2), etc. +neverallow appdomain fs_type:filesystem ~getattr; + +# prevent creation/manipulation of globally readable symlinks +neverallow appdomain { + apk_data_file + cache_file + cache_recovery_file + dev_type + rootfs + system_file + tmpfs +}:lnk_file no_w_file_perms; + +# Blacklist app domains not allowed to execute from /data +neverallow { + bluetooth + isolated_app + nfc + radio + shared_relro + system_app +} { + data_file_type + -dalvikcache_data_file + -system_data_file # shared libs in apks + -apk_data_file +}:file no_x_file_perms; + +# Applications should use the activity model for receiving events +neverallow { + appdomain + -shell # bugreport +} input_device:chr_file ~getattr; + +# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains. +# neverallow rules for access to Bluetooth-related data files are above. +neverallow { + appdomain + -bluetooth + -system_app +} { bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms; + +# Apps cannot access proc_uid_time_in_state +neverallow appdomain proc_uid_time_in_state:file *; + +# Apps cannot access proc_uid_concurrent_active_time +neverallow appdomain proc_uid_concurrent_active_time:file *; + +# Apps cannot access proc_uid_concurrent_policy_time +neverallow appdomain proc_uid_concurrent_policy_time:file *; + +# Apps cannot access proc_uid_cpupower +neverallow appdomain proc_uid_cpupower:file *; diff --git a/prebuilts/api/28.0/public/asan_extract.te b/prebuilts/api/28.0/public/asan_extract.te new file mode 100644 index 000000000..15c5a09fd --- /dev/null +++ b/prebuilts/api/28.0/public/asan_extract.te @@ -0,0 +1,36 @@ +# asan_extract +# +# This command set moves the artifact corresponding to the current slot +# from /data/ota to /data/dalvik-cache. + +with_asan(` + type asan_extract, domain, coredomain; + type asan_extract_exec, exec_type, file_type; + + # Allow asan_extract to execute itself using #!/system/bin/sh + allow asan_extract shell_exec:file rx_file_perms; + + # We execute log, rm, gzip and tar. + allow asan_extract toolbox_exec:file rx_file_perms; + allow asan_extract system_file:file execute_no_trans; + + # asan_extract deletes old /data/lib. + allow asan_extract system_file:dir { open read remove_name rmdir write }; + allow asan_extract system_file:file unlink; + + # asan_extract untars ASAN libraries into /data. + allow asan_extract system_data_file:dir create_dir_perms ; + allow asan_extract system_data_file:{ file lnk_file } create_file_perms ; + + # Relabel the libraries with restorecon. + allow asan_extract file_contexts_file:file r_file_perms; + allow asan_extract system_data_file:{ dir file } relabelfrom; + allow asan_extract system_file:dir { relabelto setattr }; + allow asan_extract system_file:file relabelto; + + # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser). + allow asan_extract system_data_file:file execute; + + # We need to signal a reboot when done. + set_prop(asan_extract, powerctl_prop) +') diff --git a/prebuilts/api/28.0/public/attributes b/prebuilts/api/28.0/public/attributes new file mode 100644 index 000000000..159d28e4e --- /dev/null +++ b/prebuilts/api/28.0/public/attributes @@ -0,0 +1,290 @@ +###################################### +# Attribute declarations +# + +# All types used for devices. +# On change, update CHECK_FC_ASSERT_ATTRS +# in tools/checkfc.c +attribute dev_type; + +# All types used for processes. +attribute domain; + +# All types used for filesystems. +# On change, update CHECK_FC_ASSERT_ATTRS +# definition in tools/checkfc.c. +attribute fs_type; + +# All types used for context= mounts. +attribute contextmount_type; + +# All types used for files that can exist on a labeled fs. +# Do not use for pseudo file types. +# On change, update CHECK_FC_ASSERT_ATTRS +# definition in tools/checkfc.c. +attribute file_type; + +# All types used for domain entry points. +attribute exec_type; + +# All types used for /data files. +attribute data_file_type; +expandattribute data_file_type false; +# All types in /data, not in /data/vendor +attribute core_data_file_type; +expandattribute core_data_file_type false; +# All types in /vendor +attribute vendor_file_type; + +# All types used for procfs files. +attribute proc_type; + +# All types used for sysfs files. +attribute sysfs_type; + +# All types use for debugfs files. +attribute debugfs_type; + +# Attribute used for all sdcards +attribute sdcard_type; + +# All types used for nodes/hosts. +attribute node_type; + +# All types used for network interfaces. +attribute netif_type; + +# All types used for network ports. +attribute port_type; + +# All types used for property service +# On change, update CHECK_PC_ASSERT_ATTRS +# definition in tools/checkfc.c. +attribute property_type; + +# All properties defined in core SELinux policy. Should not be +# used by device specific properties +attribute core_property_type; + +# All properties used to configure log filtering. +attribute log_property_type; + +# All service_manager types created by system_server +attribute system_server_service; + +# services which should be available to all but isolated apps +attribute app_api_service; + +# services which should be available to all ephemeral apps +attribute ephemeral_app_api_service; + +# services which export only system_api +attribute system_api_service; + +# All types used for services managed by servicemanager. +# On change, update CHECK_SC_ASSERT_ATTRS +# definition in tools/checkfc.c. +attribute service_manager_type; + +# All types used for services managed by hwservicemanager +attribute hwservice_manager_type; + +# All HwBinder services guaranteed to be passthrough. These services always run +# in the process of their clients, and thus operate with the same access as +# their clients. +attribute same_process_hwservice; + +# All HwBinder services guaranteed to be offered only by core domain components +attribute coredomain_hwservice; + +# All types used for services managed by vndservicemanager +attribute vndservice_manager_type; + + +# All domains that can override MLS restrictions. +# i.e. processes that can read up and write down. +attribute mlstrustedsubject; + +# All types that can override MLS restrictions. +# i.e. files that can be read by lower and written by higher +attribute mlstrustedobject; + +# All domains used for apps. +attribute appdomain; + +# All third party apps. +attribute untrusted_app_all; + +# All domains used for apps with network access. +attribute netdomain; + +# All domains used for apps with bluetooth access. +attribute bluetoothdomain; + +# All domains used for binder service domains. +attribute binderservicedomain; + +# update_engine related domains that need to apply an update and run +# postinstall. This includes the background daemon and the sideload tool from +# recovery for A/B devices. +attribute update_engine_common; + +# All core domains (as opposed to vendor/device-specific domains) +attribute coredomain; + +# All socket devices owned by core domain components +attribute coredomain_socket; +expandattribute coredomain_socket false; + +# All vendor domains which violate the requirement of not using Binder +# TODO(b/35870313): Remove this once there are no violations +attribute binder_in_vendor_violators; +expandattribute binder_in_vendor_violators false; + +# All vendor domains which violate the requirement of not using sockets for +# communicating with core components +# TODO(b/36577153): Remove this once there are no violations +attribute socket_between_core_and_vendor_violators; +expandattribute socket_between_core_and_vendor_violators false; + +# All vendor domains which violate the requirement of not executing +# system processes +# TODO(b/36463595) +attribute vendor_executes_system_violators; +expandattribute vendor_executes_system_violators false; + +# All domains which violate the requirement of not sharing files by path +# between between vendor and core domains. +# TODO(b/34980020) +attribute data_between_core_and_vendor_violators; +expandattribute data_between_core_and_vendor_violators false; + +# All system domains which violate the requirement of not executing vendor +# binaries/libraries. +# TODO(b/62041836) +attribute system_executes_vendor_violators; +expandattribute system_executes_vendor_violators false; + +# hwservices that are accessible from untrusted applications +# WARNING: Use of this attribute should be avoided unless +# absolutely necessary. It is a temporary allowance to aid the +# transition to treble and will be removed in a future platform +# version, requiring all hwservices that are labeled with this +# attribute to be submitted to AOSP in order to maintain their +# app-visibility. +attribute untrusted_app_visible_hwservice; +expandattribute untrusted_app_visible_hwservice false; + +# halserver domains that are accessible to untrusted applications. These +# domains are typically those hosting hwservices attributed by the +# untrusted_app_visible_hwservice. +# WARNING: Use of this attribute should be avoided unless absolutely necessary. +# It is a temporary allowance to aid the transition to treble and will be +# removed in the future platform version, requiring all halserver domains that +# are labeled with this attribute to be submitted to AOSP in order to maintain +# their app-visibility. +attribute untrusted_app_visible_halserver; +expandattribute untrusted_app_visible_halserver false; + +# PDX services +attribute pdx_endpoint_dir_type; +attribute pdx_endpoint_socket_type; +expandattribute pdx_endpoint_socket_type false; +attribute pdx_channel_socket_type; +expandattribute pdx_channel_socket_type false; + +pdx_service_attributes(display_client) +pdx_service_attributes(display_manager) +pdx_service_attributes(display_screenshot) +pdx_service_attributes(display_vsync) +pdx_service_attributes(performance_client) +pdx_service_attributes(bufferhub_client) + +# All HAL servers +attribute halserverdomain; +# All HAL clients +attribute halclientdomain; +expandattribute halclientdomain true; + +# TODO(b/72757373): Use hal_attribute macro once expandattribute value conflicts +# can be resolve. +attribute hal_audio; +attribute hal_audio_client; +expandattribute hal_audio_client true; +attribute hal_audio_server; +expandattribute hal_audio_server false; + +attribute hal_bootctl; +attribute hal_bootctl_client; +expandattribute hal_bootctl_client true; +attribute hal_bootctl_server; +expandattribute hal_bootctl_server false; + +attribute hal_camera; +attribute hal_camera_client; +expandattribute hal_camera_client true; +attribute hal_camera_server; +expandattribute hal_camera_server false; + +attribute hal_drm; +attribute hal_drm_client; +expandattribute hal_drm_client true; +attribute hal_drm_server; +expandattribute hal_drm_server false; + +attribute hal_cas; +attribute hal_cas_client; +expandattribute hal_cas_client true; +attribute hal_cas_server; +expandattribute hal_cas_server false; + +# HALs +hal_attribute(allocator); +hal_attribute(authsecret); +hal_attribute(bluetooth); +hal_attribute(broadcastradio); +hal_attribute(configstore); +hal_attribute(confirmationui); +hal_attribute(contexthub); +hal_attribute(dumpstate); +hal_attribute(fingerprint); +hal_attribute(gatekeeper); +hal_attribute(gnss); +hal_attribute(graphics_allocator); +hal_attribute(graphics_composer); +hal_attribute(health); +hal_attribute(ir); +hal_attribute(keymaster); +hal_attribute(light); +hal_attribute(lowpan); +hal_attribute(memtrack); +hal_attribute(neuralnetworks); +hal_attribute(nfc); +hal_attribute(oemlock); +hal_attribute(power); +hal_attribute(secure_element); +hal_attribute(sensors); +hal_attribute(telephony); +hal_attribute(tetheroffload); +hal_attribute(thermal); +hal_attribute(tv_cec); +hal_attribute(tv_input); +hal_attribute(usb); +hal_attribute(usb_gadget); +hal_attribute(vibrator); +hal_attribute(vr); +hal_attribute(weaver); +hal_attribute(wifi); +hal_attribute(wifi_hostapd); +hal_attribute(wifi_offload); +hal_attribute(wifi_supplicant); + +# HwBinder services offered across the core-vendor boundary +# +# We annotate server domains with x_server to loosen the coupling between +# system and vendor images. For example, it should be possible to move a service +# from one core domain to another, without having to update the vendor image +# which contains clients of this service. + +attribute display_service_server; +attribute wifi_keystore_service_server; diff --git a/prebuilts/api/28.0/public/audioserver.te b/prebuilts/api/28.0/public/audioserver.te new file mode 100644 index 000000000..9a7285821 --- /dev/null +++ b/prebuilts/api/28.0/public/audioserver.te @@ -0,0 +1,2 @@ +# audioserver - audio services daemon +type audioserver, domain; diff --git a/prebuilts/api/28.0/public/blkid.te b/prebuilts/api/28.0/public/blkid.te new file mode 100644 index 000000000..dabe01452 --- /dev/null +++ b/prebuilts/api/28.0/public/blkid.te @@ -0,0 +1,2 @@ +# blkid called from vold +type blkid, domain; diff --git a/prebuilts/api/28.0/public/blkid_untrusted.te b/prebuilts/api/28.0/public/blkid_untrusted.te new file mode 100644 index 000000000..4be4c0cb2 --- /dev/null +++ b/prebuilts/api/28.0/public/blkid_untrusted.te @@ -0,0 +1,2 @@ +# blkid for untrusted block devices +type blkid_untrusted, domain; diff --git a/prebuilts/api/28.0/public/bluetooth.te b/prebuilts/api/28.0/public/bluetooth.te new file mode 100644 index 000000000..9b3442aa5 --- /dev/null +++ b/prebuilts/api/28.0/public/bluetooth.te @@ -0,0 +1,2 @@ +# bluetooth subsystem +type bluetooth, domain; diff --git a/prebuilts/api/28.0/public/bootanim.te b/prebuilts/api/28.0/public/bootanim.te new file mode 100644 index 000000000..32602273d --- /dev/null +++ b/prebuilts/api/28.0/public/bootanim.te @@ -0,0 +1,42 @@ +# bootanimation oneshot service +type bootanim, domain; +type bootanim_exec, exec_type, file_type; + +hal_client_domain(bootanim, hal_configstore) +hal_client_domain(bootanim, hal_graphics_allocator) +hal_client_domain(bootanim, hal_graphics_composer) + +binder_use(bootanim) +binder_call(bootanim, surfaceflinger) +binder_call(bootanim, audioserver) + +hwbinder_use(bootanim) + +allow bootanim gpu_device:chr_file rw_file_perms; + +# /oem access +allow bootanim oemfs:dir search; +allow bootanim oemfs:file r_file_perms; + +allow bootanim audio_device:dir r_dir_perms; +allow bootanim audio_device:chr_file rw_file_perms; + +allow bootanim audioserver_service:service_manager find; +allow bootanim surfaceflinger_service:service_manager find; + +# Allow access to ion memory allocation device +allow bootanim ion_device:chr_file rw_file_perms; +allow bootanim hal_graphics_allocator:fd use; + +# Fences +allow bootanim hal_graphics_composer:fd use; + +# Read access to pseudo filesystems. +allow bootanim proc_meminfo:file r_file_perms; + +# System file accesses. +allow bootanim system_file:dir r_dir_perms; + +# Read ro.boot.bootreason b/30654343 +get_prop(bootanim, bootloader_boot_reason_prop) + diff --git a/prebuilts/api/28.0/public/bootstat.te b/prebuilts/api/28.0/public/bootstat.te new file mode 100644 index 000000000..7ba023815 --- /dev/null +++ b/prebuilts/api/28.0/public/bootstat.te @@ -0,0 +1,57 @@ +# bootstat command +type bootstat, domain; +type bootstat_exec, exec_type, file_type; + +read_runtime_log_tags(bootstat) + +# Allow persistent storage in /data/misc/bootstat. +allow bootstat bootstat_data_file:dir rw_dir_perms; +allow bootstat bootstat_data_file:file create_file_perms; + +# Collect metrics on boot time created by init +get_prop(bootstat, boottime_prop) + +# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty) +set_prop(bootstat, bootloader_boot_reason_prop) +set_prop(bootstat, system_boot_reason_prop) +set_prop(bootstat, last_boot_reason_prop) + +# ToDo: TBI move access for the following to a system health HAL + +# Allow access to /sys/fs/pstore/ and syslog +allow bootstat pstorefs:dir search; +allow bootstat pstorefs:file r_file_perms; +allow bootstat kernel:system syslog_read; + +# Allow access to reading the logs to read aspects of system health +read_logd(bootstat) + +# ToDo: end + +neverallow { + domain + -bootanim + -bootstat + -dumpstate + -init + -recovery + -shell + -system_server +} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms; +# ... and refine, as these components should not set the last boot reason +neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms; + +neverallow { + domain + -bootstat + -init + -system_server +} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set; +# ... and refine ... for a ro propertly no less ... keep this _tight_ +neverallow system_server bootloader_boot_reason_prop:property_service set; + +neverallow { + domain + -bootstat + -init +} system_boot_reason_prop:property_service set; diff --git a/prebuilts/api/28.0/public/bufferhubd.te b/prebuilts/api/28.0/public/bufferhubd.te new file mode 100644 index 000000000..274c2716b --- /dev/null +++ b/prebuilts/api/28.0/public/bufferhubd.te @@ -0,0 +1,20 @@ +# bufferhubd +type bufferhubd, domain, mlstrustedsubject; +type bufferhubd_exec, exec_type, file_type; + +hal_client_domain(bufferhubd, hal_graphics_allocator) + +pdx_server(bufferhubd, bufferhub_client) +pdx_client(bufferhubd, performance_client) + +# Access the GPU. +allow bufferhubd gpu_device:chr_file rw_file_perms; + +# Access /dev/ion +allow bufferhubd ion_device:chr_file r_file_perms; + +# Receive sync fence FDs from mediacodec. Note that mediacodec never directly +# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between +# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX. +# Thus, there is no need to use pdx_client macro. +allow bufferhubd mediacodec:fd use; diff --git a/prebuilts/api/28.0/public/cameraserver.te b/prebuilts/api/28.0/public/cameraserver.te new file mode 100644 index 000000000..3fdca537e --- /dev/null +++ b/prebuilts/api/28.0/public/cameraserver.te @@ -0,0 +1,65 @@ +# cameraserver - camera daemon +type cameraserver, domain; +type cameraserver_exec, exec_type, file_type; + +binder_use(cameraserver) +binder_call(cameraserver, binderservicedomain) +binder_call(cameraserver, appdomain) +binder_service(cameraserver) + +hal_client_domain(cameraserver, hal_camera) + +hal_client_domain(cameraserver, hal_graphics_allocator) + +allow cameraserver ion_device:chr_file rw_file_perms; + +# Talk with graphics composer fences +allow cameraserver hal_graphics_composer:fd use; + +add_service(cameraserver, cameraserver_service) + +allow cameraserver activity_service:service_manager find; +allow cameraserver appops_service:service_manager find; +allow cameraserver audioserver_service:service_manager find; +allow cameraserver batterystats_service:service_manager find; +allow cameraserver cameraproxy_service:service_manager find; +allow cameraserver mediaserver_service:service_manager find; +allow cameraserver processinfo_service:service_manager find; +allow cameraserver scheduling_policy_service:service_manager find; +allow cameraserver surfaceflinger_service:service_manager find; + +allow cameraserver hidl_token_hwservice:hwservice_manager find; + +### +### neverallow rules +### + +# cameraserver should never execute any executable without a +# domain transition +neverallow cameraserver { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *; + +# Allow shell commands from ADB for CTS testing/dumping +allow cameraserver adbd:fd use; +allow cameraserver adbd:unix_stream_socket { read write }; +allow cameraserver shell:fd use; +allow cameraserver shell:unix_stream_socket { read write }; +allow cameraserver shell:fifo_file { read write }; + +# Allow shell commands from ADB for CTS testing/dumping +userdebug_or_eng(` + allow cameraserver su:fd use; + allow cameraserver su:fifo_file { read write }; + allow cameraserver su:unix_stream_socket { read write }; +') diff --git a/prebuilts/api/28.0/public/charger.te b/prebuilts/api/28.0/public/charger.te new file mode 100644 index 000000000..7145548a5 --- /dev/null +++ b/prebuilts/api/28.0/public/charger.te @@ -0,0 +1,45 @@ +# charger seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type charger, domain; + +# Write to /dev/kmsg +allow charger kmsg_device:chr_file rw_file_perms; + +# Read access to pseudo filesystems. +r_dir_file(charger, rootfs) +r_dir_file(charger, cgroup) + +# Allow to read /sys/class/power_supply directory +allow charger sysfs_type:dir r_dir_perms; + +allow charger self:global_capability_class_set { sys_tty_config }; +allow charger self:global_capability_class_set sys_boot; + +wakelock_use(charger) + +allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Read/write to /sys/power/state +allow charger sysfs_power:file rw_file_perms; + +r_dir_file(charger, sysfs_batteryinfo) + +# Read /sys/fs/pstore/console-ramoops +# Don't worry about overly broad permissions for now, as there's +# only one file in /sys/fs/pstore +allow charger pstorefs:dir r_dir_perms; +allow charger pstorefs:file r_file_perms; + +allow charger graphics_device:dir r_dir_perms; +allow charger graphics_device:chr_file rw_file_perms; +allow charger input_device:dir r_dir_perms; +allow charger input_device:chr_file r_file_perms; +allow charger tty_device:chr_file rw_file_perms; +allow charger proc_sysrq:file rw_file_perms; + +# charger needs to tell init to continue the boot +# process when running in charger mode. +set_prop(charger, system_prop) +set_prop(charger, exported_system_prop) +set_prop(charger, exported2_system_prop) +set_prop(charger, exported3_system_prop) diff --git a/prebuilts/api/28.0/public/clatd.te b/prebuilts/api/28.0/public/clatd.te new file mode 100644 index 000000000..ee44abf7c --- /dev/null +++ b/prebuilts/api/28.0/public/clatd.te @@ -0,0 +1,33 @@ +# 464xlat daemon +type clatd, domain; +type clatd_exec, exec_type, file_type; + +net_domain(clatd) + +r_dir_file(clatd, proc_net) + +# Access objects inherited from netd. +allow clatd netd:fd use; +allow clatd netd:fifo_file { read write }; +# TODO: Check whether some or all of these sockets should be close-on-exec. +allow clatd netd:netlink_kobject_uevent_socket { read write }; +allow clatd netd:netlink_nflog_socket { read write }; +allow clatd netd:netlink_route_socket { read write }; +allow clatd netd:udp_socket { read write }; +allow clatd netd:unix_stream_socket { read write }; +allow clatd netd:unix_dgram_socket { read write }; + +allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid }; + +# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks +# capable(CAP_IPC_LOCK), and then checks to see the requested amount is +# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have +# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices +# so we permit any requests we see from clatd asking for this capability. +# See https://android-review.googlesource.com/127940 and +# https://b.corp.google.com/issues/21736319 +allow clatd self:global_capability_class_set ipc_lock; + +allow clatd self:netlink_route_socket nlmsg_write; +allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl; +allow clatd tun_device:chr_file rw_file_perms; diff --git a/prebuilts/api/28.0/public/cppreopts.te b/prebuilts/api/28.0/public/cppreopts.te new file mode 100644 index 000000000..fb9855eea --- /dev/null +++ b/prebuilts/api/28.0/public/cppreopts.te @@ -0,0 +1,22 @@ +# cppreopts +# +# This command copies preopted files from the system_b partition to the data +# partition. This domain ensures that we are only copying into specific +# directories. + +type cppreopts, domain, mlstrustedsubject; +type cppreopts_exec, exec_type, file_type; + +# Allow cppreopts copy files into the dalvik-cache +allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write }; +allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink }; + +# Allow cppreopts to execute itself using #!/system/bin/sh +allow cppreopts shell_exec:file rx_file_perms; + +# Allow us to run find on /postinstall +allow cppreopts system_file:dir { open read }; + +# Allow running the cp command using cppreopts permissions. Needed so we can +# write into dalvik-cache +allow cppreopts toolbox_exec:file rx_file_perms; diff --git a/prebuilts/api/28.0/public/crash_dump.te b/prebuilts/api/28.0/public/crash_dump.te new file mode 100644 index 000000000..f778d2818 --- /dev/null +++ b/prebuilts/api/28.0/public/crash_dump.te @@ -0,0 +1,73 @@ +type crash_dump, domain; +type crash_dump_exec, exec_type, file_type; + +allow crash_dump { + domain + -init + -crash_dump + -keystore + -logd +}:process { ptrace signal sigchld sigstop sigkill }; + +# crash_dump might inherit CAP_SYS_PTRACE from a privileged process, +# which will result in an audit log even when it's allowed to trace. +dontaudit crash_dump self:global_capability_class_set { sys_ptrace }; + +userdebug_or_eng(` + allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill }; + + # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up. + allow crash_dump kmsg_debug_device:chr_file { open append }; +') + +# Use inherited file descriptors +allow crash_dump domain:fd use; + +# Read/write IPC pipes inherited from crashing processes. +allow crash_dump domain:fifo_file { read write }; + +# Append to pipes given to us by processes requesting dumps (e.g. dumpstate) +allow crash_dump domain:fifo_file { append }; + +r_dir_file(crash_dump, domain) +allow crash_dump exec_type:file r_file_perms; + +# Read /data/dalvik-cache. +allow crash_dump dalvikcache_data_file:dir { search getattr }; +allow crash_dump dalvikcache_data_file:file r_file_perms; + +# Read APK files. +r_dir_file(crash_dump, apk_data_file); + +# Read all /vendor +r_dir_file(crash_dump, { vendor_file same_process_hal_file }) + +# Talk to tombstoned +unix_socket_connect(crash_dump, tombstoned_crash, tombstoned) + +# Talk to ActivityManager. +unix_socket_connect(crash_dump, system_ndebug, system_server) + +# Append to ANR files. +allow crash_dump anr_data_file:file { append getattr }; + +# Append to tombstone files. +allow crash_dump tombstone_data_file:file { append getattr }; + +read_logd(crash_dump) + +# Crash dump is not intended to access the following data types. Since these +# are WAI, suppress the denials to clean up the logs. +dontaudit crash_dump { + core_data_file_type + vendor_file_type +}:dir search; +dontaudit crash_dump system_data_file:file read; + +### +### neverallow assertions +### + +# A domain transition must occur for crash_dump to get the privileges needed to trace the process. +# Do not allow the execution of crash_dump without a domain transition. +neverallow domain crash_dump_exec:file execute_no_trans; diff --git a/prebuilts/api/28.0/public/device.te b/prebuilts/api/28.0/public/device.te new file mode 100644 index 000000000..231c83938 --- /dev/null +++ b/prebuilts/api/28.0/public/device.te @@ -0,0 +1,106 @@ +# Device types +type device, dev_type, fs_type; +type alarm_device, dev_type, mlstrustedobject; +type ashmem_device, dev_type, mlstrustedobject; +type audio_device, dev_type; +type audio_timer_device, dev_type; +type audio_seq_device, dev_type; +type binder_device, dev_type, mlstrustedobject; +type hwbinder_device, dev_type, mlstrustedobject; +type vndbinder_device, dev_type; +type block_device, dev_type; +type camera_device, dev_type; +type dm_device, dev_type; +type keychord_device, dev_type; +type loop_control_device, dev_type; +type loop_device, dev_type; +type pmsg_device, dev_type, mlstrustedobject; +type radio_device, dev_type; +type ram_device, dev_type; +type rtc_device, dev_type; +type vold_device, dev_type; +type console_device, dev_type; +type cpuctl_device, dev_type; +type fscklogs, dev_type; +type full_device, dev_type; +# GPU (used by most UI apps) +type gpu_device, dev_type, mlstrustedobject; +type graphics_device, dev_type; +type hw_random_device, dev_type; +type input_device, dev_type; +type kmem_device, dev_type; +type port_device, dev_type; +type lowpan_device, dev_type; +type mtd_device, dev_type; +type mtp_device, dev_type, mlstrustedobject; +type nfc_device, dev_type; +type ptmx_device, dev_type, mlstrustedobject; +type kmsg_device, dev_type; +type kmsg_debug_device, dev_type; +type null_device, dev_type, mlstrustedobject; +type random_device, dev_type, mlstrustedobject; +type secure_element_device, dev_type; +type sensors_device, dev_type; +type serial_device, dev_type; +type socket_device, dev_type; +type owntty_device, dev_type, mlstrustedobject; +type tty_device, dev_type; +type video_device, dev_type; +type vcs_device, dev_type; +type zero_device, dev_type, mlstrustedobject; +type fuse_device, dev_type, mlstrustedobject; +type iio_device, dev_type; +type ion_device, dev_type, mlstrustedobject; +type qtaguid_device, dev_type; +type watchdog_device, dev_type; +type uhid_device, dev_type; +type uio_device, dev_type; +type tun_device, dev_type, mlstrustedobject; +type usbaccessory_device, dev_type, mlstrustedobject; +type usb_device, dev_type, mlstrustedobject; +type properties_device, dev_type; +type properties_serial, dev_type; +type property_info, dev_type; +type i2c_device, dev_type; + +# All devices have a uart for the hci +# attach service. The uart dev node +# varies per device. This type +# is used in per device policy +type hci_attach_dev, dev_type; + +# All devices have a rpmsg device for +# achieving remoteproc and rpmsg modules +type rpmsg_device, dev_type; + +# Partition layout block device +type root_block_device, dev_type; + +# factory reset protection block device +type frp_block_device, dev_type; + +# System block device mounted on /system. +type system_block_device, dev_type; + +# Recovery block device. +type recovery_block_device, dev_type; + +# boot block device. +type boot_block_device, dev_type; + +# Userdata block device mounted on /data. +type userdata_block_device, dev_type; + +# Cache block device mounted on /cache. +type cache_block_device, dev_type; + +# Block device for any swap partition. +type swap_block_device, dev_type; + +# Metadata block device used for encryption metadata. +# Assign this type to the partition specified by the encryptable= +# mount option in your fstab file in the entry for userdata. +type metadata_block_device, dev_type; + +# The 'misc' partition used by recovery and A/B. +type misc_block_device, dev_type; diff --git a/prebuilts/api/28.0/public/dex2oat.te b/prebuilts/api/28.0/public/dex2oat.te new file mode 100644 index 000000000..608ba7987 --- /dev/null +++ b/prebuilts/api/28.0/public/dex2oat.te @@ -0,0 +1,66 @@ +# dex2oat +type dex2oat, domain; +type dex2oat_exec, exec_type, file_type; + +r_dir_file(dex2oat, apk_data_file) +# Access to /vendor/app +r_dir_file(dex2oat, vendor_app_file) +# Access /vendor/framework +allow dex2oat vendor_framework_file:dir { getattr search }; +allow dex2oat vendor_framework_file:file { getattr open read }; + +allow dex2oat tmpfs:file { read getattr }; + +r_dir_file(dex2oat, dalvikcache_data_file) +allow dex2oat dalvikcache_data_file:file write; +# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where +# the oat file is symlinked to the original file in /system. +allow dex2oat dalvikcache_data_file:lnk_file read; +allow dex2oat installd:fd use; + +# Acquire advisory lock on /system/framework/arm/* +allow dex2oat system_file:file lock; + +# Read already open asec_apk_file file descriptors passed by installd. +# Also allow reading unlabeled files, to allow for upgrading forward +# locked APKs. +allow dex2oat asec_apk_file:file read; +allow dex2oat unlabeled:file read; +allow dex2oat oemfs:file read; +allow dex2oat apk_tmp_file:dir search; +allow dex2oat apk_tmp_file:file r_file_perms; +allow dex2oat user_profile_data_file:file { getattr read lock }; + +# Allow dex2oat to compile app's secondary dex files which were reported back to +# the framework. +allow dex2oat app_data_file:file { getattr read write lock }; + +################## +# A/B OTA Dexopt # +################## + +# Allow dex2oat to use file descriptors from otapreopt. +allow dex2oat postinstall_dexopt:fd use; + +allow dex2oat postinstall_file:dir { getattr search }; +allow dex2oat postinstall_file:filesystem getattr; +allow dex2oat postinstall_file:lnk_file { getattr read }; + +# Allow dex2oat access to files in /data/ota. +allow dex2oat ota_data_file:dir ra_dir_perms; +allow dex2oat ota_data_file:file r_file_perms; + +# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, +# where the oat file is symlinked to the original file in /system. +allow dex2oat ota_data_file:lnk_file { create read }; + +# It would be nice to tie this down, but currently, because of how images are written, we can't +# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to +# create them itself (and make them world-readable). +allow dex2oat ota_data_file:file { create w_file_perms setattr }; + +############## +# Neverallow # +############## + +neverallow dex2oat app_data_file:notdevfile_class_set open; diff --git a/prebuilts/api/28.0/public/dhcp.te b/prebuilts/api/28.0/public/dhcp.te new file mode 100644 index 000000000..1f1ef2b48 --- /dev/null +++ b/prebuilts/api/28.0/public/dhcp.te @@ -0,0 +1,30 @@ +type dhcp, domain; +type dhcp_exec, exec_type, file_type; + +net_domain(dhcp) + +allow dhcp cgroup:dir { create write add_name }; +allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service }; +allow dhcp self:packet_socket create_socket_perms_no_ioctl; +allow dhcp self:netlink_route_socket nlmsg_write; +allow dhcp shell_exec:file rx_file_perms; +allow dhcp system_file:file rx_file_perms; +not_full_treble(`allow dhcp vendor_file:file rx_file_perms;') + +# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec) +allow dhcp toolbox_exec:file rx_file_perms; + +# For /proc/sys/net/ipv4/conf/*/promote_secondaries +allow dhcp proc_net:file write; + +set_prop(dhcp, dhcp_prop) +set_prop(dhcp, pan_result_prop) + +allow dhcp dhcp_data_file:dir create_dir_perms; +allow dhcp dhcp_data_file:file create_file_perms; + +# PAN connections +allow dhcp netd:fd use; +allow dhcp netd:fifo_file rw_file_perms; +allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write }; +allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write }; diff --git a/prebuilts/api/28.0/public/display_service_server.te b/prebuilts/api/28.0/public/display_service_server.te new file mode 100644 index 000000000..c5839fa54 --- /dev/null +++ b/prebuilts/api/28.0/public/display_service_server.te @@ -0,0 +1 @@ +add_hwservice(display_service_server, fwk_display_hwservice) diff --git a/prebuilts/api/28.0/public/dnsmasq.te b/prebuilts/api/28.0/public/dnsmasq.te new file mode 100644 index 000000000..3aaefd3e6 --- /dev/null +++ b/prebuilts/api/28.0/public/dnsmasq.te @@ -0,0 +1,25 @@ +# DNS, DHCP services +type dnsmasq, domain; +type dnsmasq_exec, exec_type, file_type; + +net_domain(dnsmasq) +allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls; + +# TODO: Run with dhcp group to avoid need for dac_override. +allow dnsmasq self:global_capability_class_set dac_override; + +allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid }; + +allow dnsmasq dhcp_data_file:dir w_dir_perms; +allow dnsmasq dhcp_data_file:file create_file_perms; + +# Inherit and use open files from netd. +allow dnsmasq netd:fd use; +allow dnsmasq netd:fifo_file { read write }; +# TODO: Investigate whether these inherited sockets should be closed on exec. +allow dnsmasq netd:netlink_kobject_uevent_socket { read write }; +allow dnsmasq netd:netlink_nflog_socket { read write }; +allow dnsmasq netd:netlink_route_socket { read write }; +allow dnsmasq netd:unix_stream_socket { read write }; +allow dnsmasq netd:unix_dgram_socket { read write }; +allow dnsmasq netd:udp_socket { read write }; diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te new file mode 100644 index 000000000..1b7bbd4ab --- /dev/null +++ b/prebuilts/api/28.0/public/domain.te @@ -0,0 +1,1357 @@ +# Rules for all domains. + +# Allow reaping by init. +allow domain init:process sigchld; + +# Intra-domain accesses. +allow domain self:process { + fork + sigchld + sigkill + sigstop + signull + signal + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + getattr + setrlimit +}; +allow domain self:fd use; +allow domain proc:dir r_dir_perms; +allow domain proc_net:dir search; +r_dir_file(domain, self) +allow domain self:{ fifo_file file } rw_file_perms; +allow domain self:unix_dgram_socket { create_socket_perms sendto }; +allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; + +# Inherit or receive open files from others. +allow domain init:fd use; + +userdebug_or_eng(` + allow domain su:fd use; + allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown }; + allow domain su:unix_dgram_socket sendto; + + allow { domain -init } su:binder { call transfer }; + + # Running something like "pm dump com.android.bluetooth" requires + # fifo writes + allow domain su:fifo_file { write getattr }; + + # allow "gdbserver --attach" to work for su. + allow domain su:process sigchld; + + # Allow writing coredumps to /cores/* + allow domain coredump_file:file create_file_perms; + allow domain coredump_file:dir ra_dir_perms; +') + +# Root fs. +allow domain rootfs:dir search; +allow domain rootfs:lnk_file { read getattr }; + +# Device accesses. +allow domain device:dir search; +allow domain dev_type:lnk_file r_file_perms; +allow domain devpts:dir search; +allow domain socket_device:dir r_dir_perms; +allow domain owntty_device:chr_file rw_file_perms; +allow domain null_device:chr_file rw_file_perms; +allow domain zero_device:chr_file rw_file_perms; +allow domain ashmem_device:chr_file rw_file_perms; +# /dev/binder can be accessed by non-vendor domains and by apps +allow { + coredomain + appdomain + binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone + -hwservicemanager +} binder_device:chr_file rw_file_perms; +# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder +not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;') +allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; +allow domain ptmx_device:chr_file rw_file_perms; +allow domain alarm_device:chr_file r_file_perms; +allow domain random_device:chr_file rw_file_perms; +allow domain proc_random:dir r_dir_perms; +allow domain proc_random:file r_file_perms; +allow domain properties_device:dir { search getattr }; +allow domain properties_serial:file r_file_perms; +allow domain property_info:file r_file_perms; + +# For now, everyone can access core property files +# Device specific properties are not granted by default +not_compatible_property(` + get_prop(domain, core_property_type) + get_prop(domain, exported_dalvik_prop) + get_prop(domain, exported_ffs_prop) + get_prop(domain, exported_system_radio_prop) + get_prop(domain, exported2_config_prop) + get_prop(domain, exported2_radio_prop) + get_prop(domain, exported2_system_prop) + get_prop(domain, exported2_vold_prop) + get_prop(domain, exported3_default_prop) + get_prop(domain, exported3_radio_prop) + get_prop(domain, exported3_system_prop) + get_prop(domain, vendor_default_prop) +') +compatible_property_only(` + get_prop({coredomain appdomain shell}, core_property_type) + get_prop({coredomain appdomain shell}, exported_dalvik_prop) + get_prop({coredomain appdomain shell}, exported_ffs_prop) + get_prop({coredomain appdomain shell}, exported_system_radio_prop) + get_prop({coredomain appdomain shell}, exported2_config_prop) + get_prop({coredomain appdomain shell}, exported2_radio_prop) + get_prop({coredomain appdomain shell}, exported2_system_prop) + get_prop({coredomain appdomain shell}, exported2_vold_prop) + get_prop({coredomain appdomain shell}, exported3_default_prop) + get_prop({coredomain appdomain shell}, exported3_radio_prop) + get_prop({coredomain appdomain shell}, exported3_system_prop) + userdebug_or_eng(` + get_prop(su, core_property_type) + get_prop(su, exported_dalvik_prop) + get_prop(su, exported_ffs_prop) + get_prop(su, exported_system_radio_prop) + get_prop(su, exported2_config_prop) + get_prop(su, exported2_radio_prop) + get_prop(su, exported2_system_prop) + get_prop(su, exported2_vold_prop) + get_prop(su, exported3_default_prop) + get_prop(su, exported3_radio_prop) + get_prop(su, exported3_system_prop) + ') + get_prop({domain -coredomain -appdomain}, vendor_default_prop) +') + +# Public readable properties +get_prop(domain, debug_prop) +get_prop(domain, exported_config_prop) +get_prop(domain, exported_default_prop) +get_prop(domain, exported_dumpstate_prop) +get_prop(domain, exported_fingerprint_prop) +get_prop(domain, exported_radio_prop) +get_prop(domain, exported_secure_prop) +get_prop(domain, exported_system_prop) +get_prop(domain, exported_vold_prop) +get_prop(domain, exported2_default_prop) +get_prop(domain, logd_prop) + +# Let everyone read log properties, so that liblog can avoid sending unloggable +# messages to logd. +get_prop(domain, log_property_type) +dontaudit domain property_type:file audit_access; +allow domain property_contexts_file:file r_file_perms; + +allow domain init:key search; +allow domain vold:key search; + +# logd access +write_logd(domain) + +# System file accesses. +allow domain system_file:dir { search getattr }; +allow domain system_file:file { execute read open getattr map }; +allow domain system_file:lnk_file { getattr read }; + +# Make sure system/vendor split doesn not affect non-treble +# devices +not_full_treble(` + allow domain vendor_file_type:dir { search getattr }; + allow domain vendor_file_type:file { execute read open getattr map }; + allow domain vendor_file_type:lnk_file { getattr read }; +') + +# All domains are allowed to open and read directories +# that contain HAL implementations (e.g. passthrough +# HALs require clients to have these permissions) +allow domain vendor_hal_file:dir r_dir_perms; + +# Everyone can read and execute all same process HALs +allow domain same_process_hal_file:dir r_dir_perms; +allow domain same_process_hal_file:file { execute read open getattr map }; + +# Any process can load vndk-sp libraries, which are system libraries +# used by same process HALs +allow domain vndk_sp_file:dir r_dir_perms; +allow domain vndk_sp_file:file { execute read open getattr map }; + +# All domains get access to /vendor/etc +allow domain vendor_configs_file:dir r_dir_perms; +allow domain vendor_configs_file:file { read open getattr }; + +full_treble_only(` + # Allow all domains to be able to follow /system/vendor and/or + # /vendor/odm symlinks. + allow domain vendor_file_type:lnk_file { getattr open read }; + + # This is required to be able to search & read /vendor/lib64 + # in order to lookup vendor libraries. The execute permission + # for coredomains is granted *only* for same process HALs + allow domain vendor_file:dir { getattr search }; + + # Allow reading and executing out of /vendor to all vendor domains + allow { domain -coredomain } vendor_file_type:dir r_dir_perms; + allow { domain -coredomain } vendor_file_type:file { read open getattr execute map }; + allow { domain -coredomain } vendor_file_type:lnk_file { getattr read }; +') + +# read and stat any sysfs symlinks +allow domain sysfs:lnk_file { getattr read }; + +# libc references /data/misc/zoneinfo for timezone related information +# This directory is considered to be a VNDK-stable +allow domain zoneinfo_data_file:file r_file_perms; +allow domain zoneinfo_data_file:dir r_dir_perms; + +# Lots of processes access current CPU information +r_dir_file(domain, sysfs_devices_system_cpu) + +r_dir_file(domain, sysfs_usb); + +# files under /data. +not_full_treble(` + allow domain system_data_file:dir getattr; +') +allow { coredomain appdomain } system_data_file:dir getattr; +# /data has the label system_data_file. Vendor components need the search +# permission on system_data_file for path traversal to /data/vendor. +allow domain system_data_file:dir search; +# TODO restrict this to non-coredomain +allow domain vendor_data_file:dir { getattr search }; + +# required by the dynamic linker +allow domain proc:lnk_file { getattr read }; + +# /proc/cpuinfo +allow domain proc_cpuinfo:file r_file_perms; + +# jemalloc needs to read /proc/sys/vm/overcommit_memory +allow domain proc_overcommit_memory:file r_file_perms; + +# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate +allow domain proc_perf:file r_file_perms; + +# toybox loads libselinux which stats /sys/fs/selinux/ +allow domain selinuxfs:dir search; +allow domain selinuxfs:file getattr; +allow domain sysfs:dir search; +allow domain selinuxfs:filesystem getattr; + +# For /acct/uid/*/tasks. +allow domain cgroup:dir { search write }; +allow domain cgroup:file w_file_perms; + +# Almost all processes log tracing information to +# /sys/kernel/debug/tracing/trace_marker +# The reason behind this is documented in b/6513400 +allow domain debugfs:dir search; +allow domain debugfs_tracing:dir search; +allow domain debugfs_tracing_debug:dir search; +allow domain debugfs_trace_marker:file w_file_perms; + +# Filesystem access. +allow domain fs_type:filesystem getattr; +allow domain fs_type:dir getattr; + +# Restrict all domains to a whitelist for common socket types. Additional +# ioctl commands may be added to individual domains, but this sets safe +# defaults for all processes. Note that granting this whitelist to domain does +# not grant the ioctl permission on these socket types. That must be granted +# separately. +allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } + ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; +# default whitelist for unix sockets. +allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } + ioctl unpriv_unix_sock_ioctls; + +# Restrict PTYs to only whitelisted ioctls. +# Note that granting this whitelist to domain does +# not grant the wider ioctl permission. That must be granted +# separately. +allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; + +# Workaround for policy compiler being too aggressive and removing hwservice_manager_type +# when it's not explicitly used in allow rules +allow { domain -domain } hwservice_manager_type:hwservice_manager { add find }; +# Workaround for policy compiler being too aggressive and removing vndservice_manager_type +# when it's not explicitly used in allow rules +allow { domain -domain } vndservice_manager_type:service_manager { add find }; + +# Under ASAN, processes will try to read /data, as the sanitized libraries are there. +with_asan(`allow domain system_data_file:dir getattr;') + +### +### neverallow rules +### + +# All socket ioctls must be restricted to a whitelist. +neverallowxperm domain domain:socket_class_set ioctl { 0 }; + +# b/68014825 and https://android-review.googlesource.com/516535 +# rfc6093 says that processes should not use the TCP urgent mechanism +neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; + +# TIOCSTI is only ever used for exploits. Block it. +# b/33073072, b/7530569 +# http://www.openwall.com/lists/oss-security/2016/09/26/14 +neverallowxperm * devpts:chr_file ioctl TIOCSTI; + +# Do not allow any domain other than init to create unlabeled files. +neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; + +# Limit device node creation to these whitelisted domains. +neverallow { + domain + -kernel + -init + -ueventd + -vold +} self:global_capability_class_set mknod; + +# Limit raw I/O to these whitelisted domains. Do not apply to debug builds. +neverallow { + domain + userdebug_or_eng(`-domain') + -kernel + -init + -recovery + -ueventd + -healthd + -uncrypt + -tee +} self:global_capability_class_set sys_rawio; + +# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). +neverallow * self:memprotect mmap_zero; + +# No domain needs mac_override as it is unused by SELinux. +neverallow * self:global_capability2_class_set mac_override; + +# Disallow attempts to set contexts not defined in current policy +# This helps guarantee that unknown or dangerous contents will not ever +# be set. +neverallow * self:global_capability2_class_set mac_admin; + +# Once the policy has been loaded there shall be none to modify the policy. +# It is sealed. +neverallow * kernel:security load_policy; + +# Only init prior to switching context should be able to set enforcing mode. +# init starts in kernel domain and switches to init domain via setcon in +# the init.rc, so the setenforce occurs while still in kernel. After +# switching domains, there is never any need to setenforce again by init. +neverallow * kernel:security setenforce; +neverallow { domain -kernel } kernel:security setcheckreqprot; + +# No booleans in AOSP policy, so no need to ever set them. +neverallow * kernel:security setbool; + +# Adjusting the AVC cache threshold. +# Not presently allowed to anything in policy, but possibly something +# that could be set from init.rc. +neverallow { domain -init } kernel:security setsecparam; + +# Only init, ueventd, shell and system_server should be able to access HW RNG +neverallow { + domain + -init + -shell # For CTS and is restricted to getattr in shell.te + -system_server + -ueventd +} hw_random_device:chr_file *; + +# Ensure that all entrypoint executables are in exec_type or postinstall_file. +neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; + +# Ensure that nothing in userspace can access /dev/mem or /dev/kmem +neverallow { + domain + -shell # For CTS and is restricted to getattr in shell.te + -ueventd # Further restricted in ueventd.te +} kmem_device:chr_file *; +neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr }; + +#Ensure that nothing in userspace can access /dev/port +neverallow { + domain + -shell # Shell user should not have any abilities outside of getattr + -ueventd +} port_device:chr_file *; +neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr }; +# Only init should be able to configure kernel usermodehelpers or +# security-sensitive proc settings. +neverallow { domain -init } usermodehelper:file { append write }; +neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write }; +neverallow { domain -init -vendor_init } proc_security:file { append open read write }; + +# No domain should be allowed to ptrace init. +neverallow * init:process ptrace; + +# Init can't do anything with binder calls. If this neverallow rule is being +# triggered, it's probably due to a service with no SELinux domain. +neverallow * init:binder *; +neverallow * vendor_init:binder *; + +# Don't allow raw read/write/open access to block_device +# Rather force a relabel to a more specific type +neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; + +# Do not allow renaming of block files or character files +# Ability to do so can lead to possible use in an exploit chain +# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html +neverallow * *:{ blk_file chr_file } rename; + +# Don't allow raw read/write/open access to generic devices. +# Rather force a relabel to a more specific type. +neverallow domain device:chr_file { open read write }; + +# Limit what domains can mount filesystems or change their mount flags. +# sdcard_type / vfat is exempt as a larger set of domains need +# this capability, including device-specific domains. +neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; + +# +# Assert that, to the extent possible, we're not loading executable content from +# outside the rootfs or /system partition except for a few whitelisted domains. +# +neverallow { + domain + -appdomain + with_asan(`-asan_extract') + -dumpstate + -shell + userdebug_or_eng(`-su') + -webview_zygote + -zygote + userdebug_or_eng(`-mediaextractor') +} { + file_type + -system_file + -vendor_file_type + -exec_type + -postinstall_file +}:file execute; + +neverallow { + domain + -appdomain # for oemfs + -bootanim # for oemfs + -recovery # for /tmp/update_binary in tmpfs +} { fs_type -rootfs }:file execute; + +# Files from cache should never be executed +neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; + +# Protect most domains from executing arbitrary content from /data. +neverallow { + domain + -appdomain +} { + data_file_type + -dalvikcache_data_file + -system_data_file # shared libs in apks + -apk_data_file +}:file no_x_file_perms; + +# The test files and executables MUST not be accessible to any domain +neverallow domain nativetest_data_file:file_class_set no_w_file_perms; +neverallow domain nativetest_data_file:dir no_w_dir_perms; +neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; + +# Only the init property service should write to /data/property and /dev/__properties__ +neverallow { domain -init } property_data_file:dir no_w_dir_perms; +neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms }; +neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms }; +neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; +neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; + +# Nobody should be doing writes to /system & /vendor +# These partitions are intended to be read-only and must never be +# modified. Doing so would violate important Android security guarantees +# and invalidate dm-verity signatures. +neverallow { + domain + with_asan(`-asan_extract') +} { + system_file + vendor_file_type + exec_type +}:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; + +neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto; + +# Don't allow mounting on top of /system files or directories +neverallow * exec_type:dir_file_class_set mounton; +neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton; + +# Nothing should be writing to files in the rootfs. +neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; + +# Restrict context mounts to specific types marked with +# the contextmount_type attribute. +neverallow * {fs_type -contextmount_type}:filesystem relabelto; + +# Ensure that context mount types are not writable, to ensure that +# the write to /system restriction above is not bypassed via context= +# mount to another type. +neverallow * contextmount_type:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + +# Do not allow service_manager add for default service labels. +# Instead domains should use a more specific type such as +# system_app_service rather than the generic type. +# New service_types are defined in {,hw,vnd}service.te and new mappings +# from service name to service_type are defined in {,hw,vnd}service_contexts. +neverallow * default_android_service:service_manager add; +neverallow * default_android_vndservice:service_manager { add find }; +neverallow * default_android_hwservice:hwservice_manager { add find }; + +# Looking up the base class/interface of all HwBinder services is a bad idea. +# hwservicemanager currently offer such lookups only to make it so that security +# decisions are expressed in SELinux policy. However, it's unclear whether this +# lookup has security implications. If it doesn't, hwservicemanager should be +# modified to not offer this lookup. +# This rule can be removed if hwservicemanager is modified to not permit these +# lookups. +neverallow * hidl_base_hwservice:hwservice_manager find; + +# Require that domains explicitly label unknown properties, and do not allow +# anyone but init to modify unknown properties. +neverallow { domain -init -vendor_init } default_prop:property_service set; +neverallow { domain -init -vendor_init } mmc_prop:property_service set; + +compatible_property_only(` + neverallow { domain -init } default_prop:property_service set; + neverallow { domain -init } mmc_prop:property_service set; + neverallow { domain -init -vendor_init } exported_default_prop:property_service set; + neverallow { domain -init } exported_secure_prop:property_service set; + neverallow { domain -init } exported2_default_prop:property_service set; + neverallow { domain -init -vendor_init } exported3_default_prop:property_service set; + neverallow { domain -init -vendor_init } vendor_default_prop:property_service set; +') + +# Only core domains are allowed to access package_manager properties +neverallow { domain -init -system_server } pm_prop:property_service set; +neverallow { domain -coredomain } pm_prop:file no_rw_file_perms; + +compatible_property_only(` + neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set; + neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms; +') + +# Do not allow reading device's serial number from system properties except form +# a few whitelisted domains. +neverallow { + domain + -adbd + -dumpstate + -hal_drm_server + -hal_cas_server + -init + -mediadrmserver + -recovery + -shell + -system_server + -vendor_init +} serialno_prop:file r_file_perms; + +# Do not allow reading the last boot timestamp from system properties +neverallow { domain -init -system_server } firstboot_prop:file r_file_perms; + +neverallow { + domain + -init + -recovery + -system_server + -shell # Shell is further restricted in shell.te + -ueventd # Further restricted in ueventd.te +} frp_block_device:blk_file no_rw_file_perms; + +# The metadata block device is set aside for device encryption and +# verified boot metadata. It may be reset at will and should not +# be used by other domains. +neverallow { + domain + -init + -recovery + -vold + -e2fs + -fsck +} metadata_block_device:blk_file { append link rename write open read ioctl lock }; + +# No domain other than recovery and update_engine can write to system partition(s). +neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append }; + +# No domains other than install_recovery or recovery can write to recovery. +neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append }; + +# No domains other than a select few can access the misc_block_device. This +# block device is reserved for OTA use. +# Do not assert this rule on userdebug/eng builds, due to some devices using +# this partition for testing purposes. +neverallow { + domain + userdebug_or_eng(`-domain') # exclude debuggable builds + -hal_bootctl_server + -init + -uncrypt + -update_engine + -vold + -recovery + -ueventd +} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; + +# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager +neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; +# The service managers are only allowed to access their own device node +neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms; +neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms; +neverallow hwservicemanager binder_device:chr_file no_rw_file_perms; +neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; +neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; +neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; + +# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core +# domain apps need this because Android framework offers many of its services to apps as Binder +# services. +full_treble_only(` + neverallow { + domain + -coredomain + -appdomain + -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone + } binder_device:chr_file rw_file_perms; +') +full_treble_only(` + neverallow { + domain + -coredomain + -appdomain # restrictions for vendor apps are declared lower down + -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone + } service_manager_type:service_manager find; +') +full_treble_only(` + # Vendor apps are permited to use only stable public services. If they were to use arbitrary + # services which can change any time framework/core is updated, breakage is likely. + neverallow { + appdomain + -coredomain + } { + service_manager_type + -app_api_service + -ephemeral_app_api_service + -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed + -cameraserver_service + -drmserver_service + -keystore_service + -mediadrmserver_service + -mediaextractor_service + -mediametrics_service + -mediaserver_service + -nfc_service + -radio_service + -virtual_touchpad_service + -vr_hwc_service + -vr_manager_service + }:service_manager find; +') +full_treble_only(` + neverallow { + domain + -coredomain + -appdomain + -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone + } servicemanager:binder { call transfer }; +') + +# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. +full_treble_only(` + neverallow { + coredomain + -shell + userdebug_or_eng(`-su') + -ueventd # uevent is granted create for this device, but we still neverallow I/O below + } vndbinder_device:chr_file rw_file_perms; +') +full_treble_only(` + neverallow ueventd vndbinder_device:chr_file { read write append ioctl }; +') +full_treble_only(` + neverallow { + coredomain + -shell + userdebug_or_eng(`-su') + } vndservice_manager_type:service_manager *; +') +full_treble_only(` + neverallow { + coredomain + -shell + userdebug_or_eng(`-su') + } vndservicemanager:binder *; +') + +# On full TREBLE devices, socket communications between core components and vendor components are +# not permitted. + # Most general rules first, more specific rules below. + + # Core domains are not permitted to initiate communications to vendor domain sockets. + # We are not restricting the use of already established sockets because it is fine for a process + # to obtain an already established socket via some public/official/stable API and then exchange + # data with its peer over that socket. The wire format in this scenario is dicatated by the API + # and thus does not break the core-vendor separation. +full_treble_only(` + neverallow_establish_socket_comms({ + coredomain + -init + -adbd + }, { + domain + -coredomain + -socket_between_core_and_vendor_violators + }); +') + # Vendor domains are not permitted to initiate communications to core domain sockets +full_treble_only(` + neverallow_establish_socket_comms({ + domain + -coredomain + -appdomain + -socket_between_core_and_vendor_violators + }, { + coredomain + -logd # Logging by writing to logd Unix domain socket is public API + -netd # netdomain needs this + -mdnsd # netdomain needs this + userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds + -init + -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services + -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services + }); +') + + # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets +full_treble_only(` + neverallow_establish_socket_comms({ + domain + -coredomain + -netdomain + -socket_between_core_and_vendor_violators + }, netd); +') + + # Vendor domains are not permitted to initiate create/open sockets owned by core domains +full_treble_only(` + neverallow { + domain + -coredomain + -appdomain # appdomain restrictions below + -data_between_core_and_vendor_violators # b/70393317 + -socket_between_core_and_vendor_violators + -vendor_init + } { + coredomain_socket + core_data_file_type + unlabeled # used only by core domains + }:sock_file ~{ append getattr ioctl read write }; +') +full_treble_only(` + neverallow { + appdomain + -coredomain + } { + coredomain_socket + unlabeled # used only by core domains + core_data_file_type + -app_data_file + -pdx_endpoint_socket_type # used by VR layer + -pdx_channel_socket_type # used by VR layer + }:sock_file ~{ append getattr ioctl read write }; +') + + # Core domains are not permitted to create/open sockets owned by vendor domains +full_treble_only(` + neverallow { + coredomain + -init + -ueventd + -socket_between_core_and_vendor_violators + } { + file_type + dev_type + -coredomain_socket + -core_data_file_type + -unlabeled + }:sock_file ~{ append getattr ioctl read write }; +') + +# On TREBLE devices, vendor and system components are only allowed to share +# files by passing open FDs over hwbinder. Ban all directory access and all file +# accesses other than what can be applied to an open FD such as +# ioctl/stat/read/write/append. This is enforced by segregating /data. +# Vendor domains may directly access file in /data/vendor by path, but may only +# access files outside of /data/vendor via an open FD passed over hwbinder. +# Likewise, core domains may only directly access files outside /data/vendor by +# path and files in /data/vendor by open FD. +full_treble_only(` + # only coredomains may only access core_data_file_type, particularly not + # /data/vendor + neverallow { + coredomain + -appdomain # TODO(b/34980020) remove exemption for appdomain + -data_between_core_and_vendor_violators + -init + -vold_prepare_subdirs + } { + data_file_type + -core_data_file_type + }:file_class_set ~{ append getattr ioctl read write }; +') +full_treble_only(` + neverallow { + coredomain + -appdomain # TODO(b/34980020) remove exemption for appdomain + -data_between_core_and_vendor_violators + -init + -vold_prepare_subdirs + } { + data_file_type + -core_data_file_type + # TODO(b/72998741) Remove exemption. Further restricted in a subsequent + # neverallow. Currently only getattr and search are allowed. + -vendor_data_file + }:dir *; + +') +full_treble_only(` + # vendor domains may only access files in /data/vendor, never core_data_file_types + neverallow { + domain + -appdomain # TODO(b/34980020) remove exemption for appdomain + -coredomain + -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up + } { + core_data_file_type + # libc includes functions like mktime and localtime which attempt to access + # files in /data/misc/zoneinfo/tzdata file. These functions are considered + # vndk-stable and thus must be allowed for all processes. + -zoneinfo_data_file + }:file_class_set ~{ append getattr ioctl read write }; +') +full_treble_only(` + # vendor domains may only access dirs in /data/vendor, never core_data_file_types + neverallow { + domain + -appdomain # TODO(b/34980020) remove exemption for appdomain + -coredomain + -data_between_core_and_vendor_violators + } { + core_data_file_type + -system_data_file # default label for files on /data. Covered below... + -vendor_data_file + -zoneinfo_data_file + }:dir *; +') +full_treble_only(` + # vendor domains may only access dirs in /data/vendor, never core_data_file_types + neverallow { + domain + -appdomain # TODO(b/34980020) remove exemption for appdomain + -coredomain + -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up + } { + system_data_file # default label for files on /data. Covered below + }:dir ~{ getattr search }; +') + +full_treble_only(` + # coredomains may not access dirs in /data/vendor. + neverallow { + coredomain + -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up + -init + -vold # vold creates per-user storage for both system and vendor + -vold_prepare_subdirs + } { + vendor_data_file # default label for files on /data. Covered below + }:dir ~{ getattr search }; +') + +full_treble_only(` + # coredomains may not access dirs in /data/vendor. + neverallow { + coredomain + -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up + -init + } { + vendor_data_file # default label for files on /data/vendor{,_ce,_de}. + }:file_class_set ~{ append getattr ioctl read write }; +') + +# On TREBLE devices, a limited set of files in /vendor are accessible to +# only a few whitelisted coredomains to keep system/vendor separation. +full_treble_only(` + # Limit access to /vendor/app + neverallow { + coredomain + -appdomain + -dex2oat + -idmap + -init + -installd + userdebug_or_eng(`-perfprofd') + -postinstall_dexopt + -system_server + } vendor_app_file:dir { open read getattr search }; +') + +full_treble_only(` + neverallow { + coredomain + -appdomain + -dex2oat + -idmap + -init + -installd + userdebug_or_eng(`-perfprofd') + -postinstall_dexopt + -system_server + } vendor_app_file:file r_file_perms; +') + +full_treble_only(` + # Limit access to /vendor/overlay + neverallow { + coredomain + -appdomain + -idmap + -init + -installd + -system_server + -webview_zygote + -zygote + } vendor_overlay_file:dir { getattr open read search }; +') + +full_treble_only(` + neverallow { + coredomain + -appdomain + -idmap + -init + -installd + -system_server + -webview_zygote + -zygote + } vendor_overlay_file:file r_file_perms; +') + +full_treble_only(` + # Non-vendor domains are not allowed to file execute shell + # from vendor + neverallow { + coredomain + -init + -shell + } vendor_shell_exec:file { execute execute_no_trans }; +') + +full_treble_only(` + # Do not allow vendor components to execute files from system + # except for the ones whitelist here. + neverallow { + domain + -coredomain + -appdomain + -vendor_executes_system_violators + -vendor_init + } { + exec_type + -vendor_file_type + -crash_dump_exec + -netutils_wrapper_exec + }:file { entrypoint execute execute_no_trans }; +') + +full_treble_only(` + # Do not allow system components to execute files from vendor + # except for the ones whitelisted here. + neverallow { + coredomain + -init + -shell + -system_executes_vendor_violators + } { + vendor_file_type + -same_process_hal_file + -vndk_sp_file + -vendor_app_file + }:file execute; +') + +full_treble_only(` + neverallow { + coredomain + -shell + -system_executes_vendor_violators + } vendor_file_type:file execute_no_trans; +') + +# Only authorized processes should be writing to files in /data/dalvik-cache +neverallow { + domain + -init # TODO: limit init to relabelfrom for files + -zygote + -installd + -postinstall_dexopt + -cppreopts + -dex2oat + -otapreopt_slot +} dalvikcache_data_file:file no_w_file_perms; + +neverallow { + domain + -init + -installd + -postinstall_dexopt + -cppreopts + -dex2oat + -zygote + -otapreopt_slot +} dalvikcache_data_file:dir no_w_dir_perms; + +# Only system_server should be able to send commands via the zygote socket +neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; +neverallow { domain -system_server } zygote_socket:sock_file write; + +neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto; +neverallow { domain -system_server } webview_zygote:sock_file write; + +neverallow { + domain + -tombstoned + -crash_dump + -dumpstate + -incidentd + -system_server + + # Processes that can't exec crash_dump + -mediacodec + -mediaextractor +} tombstoned_crash_socket:unix_stream_socket connectto; + +# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to +# the tombstoned intercept socket. +neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write; +neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; + +# Android does not support System V IPCs. +# +# The reason for this is due to the fact that, by design, they lead to global +# kernel resource leakage. +# +# For example, there is no way to automatically release a SysV semaphore +# allocated in the kernel when: +# +# - a buggy or malicious process exits +# - a non-buggy and non-malicious process crashes or is explicitly killed. +# +# Killing processes automatically to make room for new ones is an +# important part of Android's application lifecycle implementation. This means +# that, even assuming only non-buggy and non-malicious code, it is very likely +# that over time, the kernel global tables used to implement SysV IPCs will fill +# up. +neverallow * *:{ shm sem msg msgq } *; + +# Do not mount on top of symlinks, fifos, or sockets. +# Feature parity with Chromium LSM. +neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; + +# Nobody should be able to execute su on user builds. +# On userdebug/eng builds, only dumpstate, shell, and +# su itself execute su. +neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; + +# Do not allow the introduction of new execmod rules. Text relocations +# and modification of executable pages are unsafe. +# The only exceptions are for NDK text relocations associated with +# https://code.google.com/p/android/issues/detail?id=23203 +# which, long term, need to go away. +neverallow * { + file_type + -apk_data_file + -app_data_file + -asec_public_file +}:file execmod; + +# Do not allow making the stack or heap executable. +# We would also like to minimize execmem but it seems to be +# required by some device-specific service domains. +neverallow * self:process { execstack execheap }; + +# prohibit non-zygote spawned processes from using shared libraries +# with text relocations. b/20013628 . +neverallow { domain -untrusted_app_all } file_type:file execmod; + +neverallow { domain -init } proc:{ file dir } mounton; + +# Ensure that all types assigned to processes are included +# in the domain attribute, so that all allow and neverallow rules +# written on domain are applied to all processes. +# This is achieved by ensuring that it is impossible to transition +# from a domain to a non-domain type and vice versa. +# TODO - rework this: neverallow domain ~domain:process { transition dyntransition }; +neverallow ~domain domain:process { transition dyntransition }; + +# +# Only system_app and system_server should be creating or writing +# their files. The proper way to share files is to setup +# type transitions to a more specific type or assigning a type +# to its parent directory via a file_contexts entry. +# Example type transition: +# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) +# +neverallow { + domain + -system_server + -system_app + -init + -installd # for relabelfrom and unlink, check for this in explicit neverallow + with_asan(`-asan_extract') +} system_data_file:file no_w_file_perms; +# do not grant anything greater than r_file_perms and relabelfrom unlink +# to installd +neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; + +# respect system_app sandboxes +neverallow { + domain + -appdomain # finer-grained rules for appdomain are listed below + -system_server #populate com.android.providers.settings/databases/settings.db. + -installd # creation of app sandbox + -traced_probes # resolve inodes for i/o tracing. + # only needs open and read, the rest is neverallow in + # traced_probes.te. +} system_app_data_file:dir_file_class_set { create unlink open }; +neverallow { + isolated_app + untrusted_app_all # finer-grained rules for appdomain are listed below + ephemeral_app + priv_app +} system_app_data_file:dir_file_class_set { create unlink open }; + + +# Services should respect app sandboxes +neverallow { + domain + -appdomain + -installd # creation of sandbox +} app_data_file:dir_file_class_set { create unlink }; + +# +# Only these domains should transition to shell domain. This domain is +# permissible for the "shell user". If you need a process to exec a shell +# script with differing privilege, define a domain and set up a transition. +# +neverallow { + domain + -adbd + -init + -runas + -zygote +} shell:process { transition dyntransition }; + +# Only domains spawned from zygote and runas may have the appdomain attribute. +neverallow { domain -runas -webview_zygote -zygote } { + appdomain -shell userdebug_or_eng(`-su') +}:process { transition dyntransition }; + +# Minimize read access to shell- or app-writable symlinks. +# This is to prevent malicious symlink attacks. +neverallow { + domain + -appdomain + -installd + -uncrypt # TODO: see if we can remove +} app_data_file:lnk_file read; + +neverallow { + domain + -shell + userdebug_or_eng(`-uncrypt') + -installd +} shell_data_file:lnk_file read; + +# In addition to the symlink reading restrictions above, restrict +# write access to shell owned directories. The /data/local/tmp +# directory is untrustworthy, and non-whitelisted domains should +# not be trusting any content in those directories. +neverallow { + domain + -adbd + -dumpstate + -installd + -init + -shell + -vold +} shell_data_file:dir no_w_dir_perms; + +neverallow { + domain + -adbd + -appdomain + -dumpstate + -init + -installd + -system_server # why? + userdebug_or_eng(`-uncrypt') +} shell_data_file:dir { open search }; + +# Same as above for /data/local/tmp files. We allow shell files +# to be passed around by file descriptor, but not directly opened. +neverallow { + domain + -adbd + -appdomain + -dumpstate + -installd + userdebug_or_eng(`-uncrypt') +} shell_data_file:file open; + +# servicemanager and vndservicemanager are the only processes which handle the +# service_manager list request +neverallow * ~{ + servicemanager + vndservicemanager + }:service_manager list; + +# hwservicemanager is the only process which handles hw list requests +neverallow * ~{ + hwservicemanager + }:hwservice_manager list; + +# only service_manager_types can be added to service_manager +# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find }; + +# Prevent assigning non property types to properties +# TODO - rework this: neverallow * ~property_type:property_service set; + +# Domain types should never be assigned to any files other +# than the /proc/pid files associated with a process. The +# executable file used to enter a domain should be labeled +# with its own _exec type, not with the domain type. +# Conventionally, this looks something like: +# $ cat mydaemon.te +# type mydaemon, domain; +# type mydaemon_exec, exec_type, file_type; +# init_daemon_domain(mydaemon) +# $ grep mydaemon file_contexts +# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 +neverallow * domain:file { execute execute_no_trans entrypoint }; + +# Do not allow access to the generic debugfs label. This is too broad. +# Instead, if access to part of debugfs is desired, it should have a +# more specific label. +# TODO: fix system_server and dumpstate +neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms; + +# Profiles contain untrusted data and profman parses that. We should only run +# in from installd forked processes. +neverallow { + domain + -installd + -profman +} profman_exec:file no_x_file_perms; + +# Enforce restrictions on kernel module origin. +# Do not allow kernel module loading except from system, +# vendor, and boot partitions. +neverallow * ~{ system_file vendor_file rootfs }:system module_load; + +# Only allow filesystem caps to be set at build time. Runtime changes +# to filesystem capabilities are not permitted. +neverallow * self:global_capability_class_set setfcap; + +# Enforce AT_SECURE for executing crash_dump. +neverallow domain crash_dump:process noatsecure; + +# Do not permit non-core domains to register HwBinder services which are +# guaranteed to be provided by core domains only. +neverallow ~coredomain coredomain_hwservice:hwservice_manager add; + +# Do not permit the registeration of HwBinder services which are guaranteed to +# be passthrough only (i.e., run in the process of their clients instead of a +# separate server process). +neverallow * same_process_hwservice:hwservice_manager add; + +# On TREBLE devices, most coredomains should not access vendor_files. +# TODO(b/71553434): Remove exceptions here. +full_treble_only(` + neverallow { + coredomain + -appdomain + -bootanim + -crash_dump + -init + -kernel + -perfprofd + -ueventd + } vendor_file:file { no_w_file_perms no_x_file_perms open }; +') + +# Minimize dac_override and dac_read_search. +# Instead of granting them it is usually better to add the domain to +# a Unix group or change the permissions of a file. +neverallow { + domain + -dnsmasq + -dumpstate + -init + -installd + -install_recovery + -lmkd + -netd + -perfprofd + -postinstall_dexopt + -recovery + -sdcardd + -tee + -ueventd + -uncrypt + -vendor_init + -vold + -vold_prepare_subdirs + -zygote +} self:capability dac_override; +neverallow { domain -traced_probes } self:capability dac_read_search; + +# If an already existing file is opened with O_CREAT, the kernel might generate +# a false report of a create denial. Silence these denials and make sure that +# inappropriate permissions are not granted. + +# These filesystems don't allow files or directories to be created, so the permission +# to do so should never be granted. +neverallow domain { + proc_type + sysfs_type +}:dir { add_name create link remove_name rename reparent rmdir write }; + +# cgroupfs directories can be created, but not files within them. +neverallow domain cgroup:file create; + +dontaudit domain proc_type:dir write; +dontaudit domain sysfs_type:dir write; +dontaudit domain cgroup:file create; + +# These are only needed in permissive mode - in enforcing mode the +# directory write check fails and so these are never attempted. +userdebug_or_eng(` + dontaudit domain proc_type:dir add_name; + dontaudit domain sysfs_type:dir add_name; + dontaudit domain proc_type:file create; + dontaudit domain sysfs_type:file create; +') diff --git a/prebuilts/api/28.0/public/drmserver.te b/prebuilts/api/28.0/public/drmserver.te new file mode 100644 index 000000000..f752c13ee --- /dev/null +++ b/prebuilts/api/28.0/public/drmserver.te @@ -0,0 +1,58 @@ +# drmserver - DRM service +type drmserver, domain; +type drmserver_exec, exec_type, file_type; + +typeattribute drmserver mlstrustedsubject; + +net_domain(drmserver) + +# Perform Binder IPC to system server. +binder_use(drmserver) +binder_call(drmserver, system_server) +binder_call(drmserver, appdomain) +binder_service(drmserver) +# Inherit or receive open files from system_server. +allow drmserver system_server:fd use; + +# Perform Binder IPC to mediaserver +binder_call(drmserver, mediaserver) + +allow drmserver sdcard_type:dir search; +allow drmserver drm_data_file:dir create_dir_perms; +allow drmserver drm_data_file:file create_file_perms; +allow drmserver tee_device:chr_file rw_file_perms; +allow drmserver app_data_file:file { read write getattr }; +allow drmserver sdcard_type:file { read write getattr }; +r_dir_file(drmserver, efs_file) + +type drmserver_socket, file_type; + +# /data/app/tlcd_sock socket file. +# Clearly, /data/app is the most logical place to create a socket. Not. +allow drmserver apk_data_file:dir rw_dir_perms; +allow drmserver drmserver_socket:sock_file create_file_perms; +# Delete old socket file if present. +allow drmserver apk_data_file:sock_file unlink; + +# After taking a video, drmserver looks at the video file. +r_dir_file(drmserver, media_rw_data_file) + +# Read resources from open apk files passed over Binder. +allow drmserver apk_data_file:file { read getattr }; +allow drmserver asec_apk_file:file { read getattr }; +allow drmserver ringtone_file:file { read getattr }; + +# Read /data/data/com.android.providers.telephony files passed over Binder. +allow drmserver radio_data_file:file { read getattr }; + +# /oem access +allow drmserver oemfs:dir search; +allow drmserver oemfs:file r_file_perms; + +add_service(drmserver, drmserver_service) +allow drmserver permission_service:service_manager find; + +selinux_check_access(drmserver) + +r_dir_file(drmserver, cgroup) +r_dir_file(drmserver, system_file) diff --git a/prebuilts/api/28.0/public/dumpstate.te b/prebuilts/api/28.0/public/dumpstate.te new file mode 100644 index 000000000..8906f5dcf --- /dev/null +++ b/prebuilts/api/28.0/public/dumpstate.te @@ -0,0 +1,289 @@ +# dumpstate +type dumpstate, domain, mlstrustedsubject; +type dumpstate_exec, exec_type, file_type; + +net_domain(dumpstate) +binder_use(dumpstate) +wakelock_use(dumpstate) + +# Allow setting process priority, protect from OOM killer, and dropping +# privileges by switching UID / GID +allow dumpstate self:global_capability_class_set { setuid setgid sys_resource }; + +# Allow dumpstate to scan through /proc/pid for all processes +r_dir_file(dumpstate, domain) + +allow dumpstate self:global_capability_class_set { + # Send signals to processes + kill + # Run iptables + net_raw + net_admin +}; + +# Allow executing files on system, such as: +# /system/bin/toolbox +# /system/bin/logcat +# /system/bin/dumpsys +allow dumpstate system_file:file execute_no_trans; +not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;') +allow dumpstate toolbox_exec:file rx_file_perms; + +# hidl searches for files in /system/lib(64)/hw/ +allow dumpstate system_file:dir r_dir_perms; + +# Create and write into /data/anr/ +allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid }; +allow dumpstate anr_data_file:dir rw_dir_perms; +allow dumpstate anr_data_file:file create_file_perms; + +# Allow reading /data/system/uiderrors.txt +# TODO: scope this down. +allow dumpstate system_data_file:file r_file_perms; + +# Read dmesg +allow dumpstate self:global_capability2_class_set syslog; +allow dumpstate kernel:system syslog_read; + +# Read /sys/fs/pstore/console-ramoops +allow dumpstate pstorefs:dir r_dir_perms; +allow dumpstate pstorefs:file r_file_perms; + +# Get process attributes +allow dumpstate domain:process getattr; + +# Signal java processes to dump their stack +allow dumpstate { appdomain system_server }:process signal; + +# Signal native processes to dump their stack. +allow dumpstate { + # This list comes from native_processes_to_dump in dumputils/dump_utils.c + audioserver + cameraserver + drmserver + inputflinger + mediadrmserver + mediaextractor + mediametrics + mediaserver + sdcardd + surfaceflinger + + # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c + hal_audio_server + hal_bluetooth_server + hal_camera_server + hal_drm_server + hal_graphics_composer_server + hal_sensors_server + hal_vr_server + mediacodec # TODO(b/36375899): hal_omx_server +}:process signal; + +# Connect to tombstoned to intercept dumps. +unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned) + +# Access to /sys +allow dumpstate sysfs_type:dir r_dir_perms; + +allow dumpstate { + sysfs_dm + sysfs_usb + sysfs_zram +}:file r_file_perms; + +# Other random bits of data we want to collect +allow dumpstate qtaguid_proc:file r_file_perms; +allow dumpstate debugfs:file r_file_perms; + +# df for +allow dumpstate { + block_device + cache_file + rootfs + selinuxfs + storage_file + tmpfs +}:dir { search getattr }; +allow dumpstate fuse_device:chr_file getattr; +allow dumpstate { dm_device cache_block_device }:blk_file getattr; +allow dumpstate { cache_file rootfs }:lnk_file { getattr read }; + +# Read /dev/cpuctl and /dev/cpuset +r_dir_file(dumpstate, cgroup) + +# Allow dumpstate to make binder calls to any binder service +binder_call(dumpstate, binderservicedomain) +binder_call(dumpstate, { appdomain netd wificond }) + +hal_client_domain(dumpstate, hal_dumpstate) +hal_client_domain(dumpstate, hal_graphics_allocator) +# Vibrate the device after we are done collecting the bugreport +hal_client_domain(dumpstate, hal_vibrator) + +# Reading /proc/PID/maps of other processes +allow dumpstate self:global_capability_class_set sys_ptrace; + +# Allow the bugreport service to create a file in +# /data/data/com.android.shell/files/bugreports/bugreport +allow dumpstate shell_data_file:dir create_dir_perms; +allow dumpstate shell_data_file:file create_file_perms; + +# Run a shell. +allow dumpstate shell_exec:file rx_file_perms; + +# For running am and similar framework commands. +# Run /system/bin/app_process. +allow dumpstate zygote_exec:file rx_file_perms; +# Dalvik Compiler JIT. +allow dumpstate ashmem_device:chr_file execute; +allow dumpstate self:process execmem; +# For art. +allow dumpstate dalvikcache_data_file:dir { search getattr }; +allow dumpstate dalvikcache_data_file:file { r_file_perms execute }; +allow dumpstate dalvikcache_data_file:lnk_file r_file_perms; + +# For Bluetooth +allow dumpstate bluetooth_data_file:dir search; +allow dumpstate bluetooth_logs_data_file:dir r_dir_perms; +allow dumpstate bluetooth_logs_data_file:file r_file_perms; + +# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access +allow dumpstate gpu_device:chr_file rw_file_perms; + +# logd access +read_logd(dumpstate) +control_logd(dumpstate) +read_runtime_log_tags(dumpstate) + +# Read files in /proc +allow dumpstate { + proc_buddyinfo + proc_cmdline + proc_meminfo + proc_modules + proc_net + proc_pipe_conf + proc_pagetypeinfo + proc_qtaguid_stat + proc_version + proc_vmallocinfo + proc_vmstat +}:file r_file_perms; + +# Read network state info files. +allow dumpstate net_data_file:dir search; +allow dumpstate net_data_file:file r_file_perms; + +# List sockets via ss. +allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; + +# Access /data/tombstones. +allow dumpstate tombstone_data_file:dir r_dir_perms; +allow dumpstate tombstone_data_file:file r_file_perms; + +# Access /cache/recovery +allow dumpstate cache_recovery_file:dir r_dir_perms; +allow dumpstate cache_recovery_file:file r_file_perms; + +# Access /data/misc/recovery +allow dumpstate recovery_data_file:dir r_dir_perms; +allow dumpstate recovery_data_file:file r_file_perms; + +# Access /data/misc/profiles/{cur,ref}/ +userdebug_or_eng(` + allow dumpstate user_profile_data_file:dir r_dir_perms; + allow dumpstate user_profile_data_file:file r_file_perms; +') + +# Access /data/misc/logd +userdebug_or_eng(` + allow dumpstate misc_logd_file:dir r_dir_perms; + allow dumpstate misc_logd_file:file r_file_perms; +') + +allow dumpstate { + service_manager_type + -dumpstate_service + -gatekeeper_service + -incident_service + -virtual_touchpad_service + -vold_service + -vr_hwc_service +}:service_manager find; +# suppress denials for services dumpstate should not be accessing. +dontaudit dumpstate { + dumpstate_service + gatekeeper_service + incident_service + virtual_touchpad_service + vold_service + vr_hwc_service +}:service_manager find; + +allow dumpstate servicemanager:service_manager list; +allow dumpstate hwservicemanager:hwservice_manager list; + +allow dumpstate devpts:chr_file rw_file_perms; + +# Set properties. +# dumpstate_prop is used to share state with the Shell app. +set_prop(dumpstate, dumpstate_prop) +set_prop(dumpstate, exported_dumpstate_prop) +# dumpstate_options_prop is used to pass extra command-line args. +set_prop(dumpstate, dumpstate_options_prop) + +# Read device's serial number from system properties +get_prop(dumpstate, serialno_prop) + +# Read state of logging-related properties +get_prop(dumpstate, device_logging_prop) + +# Read state of boot reason properties +get_prop(dumpstate, bootloader_boot_reason_prop) +get_prop(dumpstate, last_boot_reason_prop) +get_prop(dumpstate, system_boot_reason_prop) + +# Access to /data/media. +# This should be removed if sdcardfs is modified to alter the secontext for its +# accesses to the underlying FS. +allow dumpstate media_rw_data_file:dir getattr; +allow dumpstate proc_interrupts:file r_file_perms; +allow dumpstate proc_zoneinfo:file r_file_perms; + +# Create a service for talking back to system_server +add_service(dumpstate, dumpstate_service) + +# use /dev/ion for screen capture +allow dumpstate ion_device:chr_file r_file_perms; + +# Allow dumpstate to run top +allow dumpstate proc_stat:file r_file_perms; + +# Allow dumpstate to talk to installd over binder +binder_call(dumpstate, installd); + +# Allow dumpstate to run ip xfrm policy +allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read }; + +# Allow dumpstate to run iotop +allow dumpstate self:netlink_socket create_socket_perms_no_ioctl; +# newer kernels (e.g. 4.4) have a new class for sockets +allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl; + +### +### neverallow rules +### + +# dumpstate has capability sys_ptrace, but should only use that capability for +# accessing sensitive /proc/PID files, never for using ptrace attach. +neverallow dumpstate *:process ptrace; + +# only system_server, dumpstate, traceur_app and shell can find the dumpstate service +neverallow { + domain + -system_server + -shell + -traceur_app + -dumpstate +} dumpstate_service:service_manager find; diff --git a/prebuilts/api/28.0/public/e2fs.te b/prebuilts/api/28.0/public/e2fs.te new file mode 100644 index 000000000..6fcd0c2fb --- /dev/null +++ b/prebuilts/api/28.0/public/e2fs.te @@ -0,0 +1,22 @@ +type e2fs, domain, coredomain; +type e2fs_exec, exec_type, file_type; + +allow e2fs devpts:chr_file { read write getattr ioctl }; + +allow e2fs dev_type:blk_file getattr; +allow e2fs block_device:dir search; +allow e2fs userdata_block_device:blk_file rw_file_perms; +allow e2fs metadata_block_device:blk_file rw_file_perms; + +allow e2fs { + proc_filesystems + proc_mounts + proc_swaps +}:file r_file_perms; + +# access /sys/fs/ext4/features +allow e2fs sysfs_fs_ext4_features:dir search; +allow e2fs sysfs_fs_ext4_features:file r_file_perms; + +# access sselinux context files +allow e2fs file_contexts_file:file { getattr open read }; diff --git a/prebuilts/api/28.0/public/ephemeral_app.te b/prebuilts/api/28.0/public/ephemeral_app.te new file mode 100644 index 000000000..dc39a22b5 --- /dev/null +++ b/prebuilts/api/28.0/public/ephemeral_app.te @@ -0,0 +1,14 @@ +### +### Ephemeral apps. +### +### This file defines the security policy for apps with the ephemeral +### feature. +### +### The ephemeral_app domain is a reduced permissions sandbox allowing +### ephemeral applications to be safely installed and run. Non ephemeral +### applications may also opt-in to ephemeral to take advantage of the +### additional security features. +### +### PackageManager flags an app as ephemeral at install time. + +type ephemeral_app, domain; diff --git a/prebuilts/api/28.0/public/file.te b/prebuilts/api/28.0/public/file.te new file mode 100644 index 000000000..156fce141 --- /dev/null +++ b/prebuilts/api/28.0/public/file.te @@ -0,0 +1,405 @@ +# Filesystem types +type labeledfs, fs_type; +type pipefs, fs_type; +type sockfs, fs_type; +type rootfs, fs_type; +type proc, fs_type, proc_type; +# Security-sensitive proc nodes that should not be writable to most. +type proc_security, fs_type, proc_type; +type proc_drop_caches, fs_type, proc_type; +type proc_overcommit_memory, fs_type, proc_type; +type proc_min_free_order_shift, fs_type, proc_type; +# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. +type usermodehelper, fs_type, proc_type; +type sysfs_usermodehelper, fs_type, sysfs_type; +type qtaguid_proc, fs_type, mlstrustedobject, proc_type; +type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type; +type proc_bluetooth_writable, fs_type, proc_type; +type proc_abi, fs_type, proc_type; +type proc_asound, fs_type, proc_type; +type proc_buddyinfo, fs_type, proc_type; +type proc_cmdline, fs_type, proc_type; +type proc_cpuinfo, fs_type, proc_type; +type proc_dirty, fs_type, proc_type; +type proc_diskstats, fs_type, proc_type; +type proc_extra_free_kbytes, fs_type, proc_type; +type proc_filesystems, fs_type, proc_type; +type proc_hostname, fs_type, proc_type; +type proc_hung_task, fs_type, proc_type; +type proc_interrupts, fs_type, proc_type; +type proc_iomem, fs_type, proc_type; +type proc_kmsg, fs_type, proc_type; +type proc_loadavg, fs_type, proc_type; +type proc_max_map_count, fs_type, proc_type; +type proc_meminfo, fs_type, proc_type; +type proc_misc, fs_type, proc_type; +type proc_modules, fs_type, proc_type; +type proc_mounts, fs_type, proc_type; +type proc_net, fs_type, proc_type; +type proc_page_cluster, fs_type, proc_type; +type proc_pagetypeinfo, fs_type, proc_type; +type proc_panic, fs_type, proc_type; +type proc_perf, fs_type, proc_type; +type proc_pid_max, fs_type, proc_type; +type proc_pipe_conf, fs_type, proc_type; +type proc_random, fs_type, proc_type; +type proc_sched, fs_type, proc_type; +type proc_stat, fs_type, proc_type; +type proc_swaps, fs_type, proc_type; +type proc_sysrq, fs_type, proc_type; +type proc_timer, fs_type, proc_type; +type proc_tty_drivers, fs_type, proc_type; +type proc_uid_cputime_showstat, fs_type, proc_type; +type proc_uid_cputime_removeuid, fs_type, proc_type; +type proc_uid_io_stats, fs_type, proc_type; +type proc_uid_procstat_set, fs_type, proc_type; +type proc_uid_time_in_state, fs_type, proc_type; +type proc_uid_concurrent_active_time, fs_type, proc_type; +type proc_uid_concurrent_policy_time, fs_type, proc_type; +type proc_uid_cpupower, fs_type, proc_type; +type proc_uptime, fs_type, proc_type; +type proc_version, fs_type, proc_type; +type proc_vmallocinfo, fs_type, proc_type; +type proc_vmstat, fs_type, proc_type; +type proc_zoneinfo, fs_type, proc_type; +type selinuxfs, fs_type, mlstrustedobject; +type cgroup, fs_type, mlstrustedobject; +type cgroup_bpf, fs_type; +type sysfs, fs_type, sysfs_type, mlstrustedobject; +type sysfs_android_usb, fs_type, sysfs_type; +type sysfs_uio, sysfs_type, fs_type; +type sysfs_batteryinfo, fs_type, sysfs_type; +type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_dm, fs_type, sysfs_type; +type sysfs_dt_firmware_android, fs_type, sysfs_type; +type sysfs_ipv4, fs_type, sysfs_type; +type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject; +type sysfs_leds, fs_type, sysfs_type; +type sysfs_hwrandom, fs_type, sysfs_type; +type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_wake_lock, fs_type, sysfs_type; +type sysfs_mac_address, fs_type, sysfs_type; +type sysfs_net, fs_type, sysfs_type; +type sysfs_power, fs_type, sysfs_type; +type sysfs_rtc, fs_type, sysfs_type; +type sysfs_switch, fs_type, sysfs_type; +type sysfs_usb, fs_type, sysfs_type; +type sysfs_wakeup_reasons, fs_type, sysfs_type; +type sysfs_fs_ext4_features, sysfs_type, fs_type; +type fs_bpf, fs_type; +type configfs, fs_type; +# /sys/devices/system/cpu +type sysfs_devices_system_cpu, fs_type, sysfs_type; +# /sys/module/lowmemorykiller +type sysfs_lowmemorykiller, fs_type, sysfs_type; +# /sys/module/wlan/parameters/fwpath +type sysfs_wlan_fwpath, fs_type, sysfs_type; +type sysfs_vibrator, fs_type, sysfs_type; + +type sysfs_thermal, sysfs_type, fs_type; + +type sysfs_zram, fs_type, sysfs_type; +type sysfs_zram_uevent, fs_type, sysfs_type; +type inotify, fs_type, mlstrustedobject; +type devpts, fs_type, mlstrustedobject; +type tmpfs, fs_type; +type shm, fs_type; +type mqueue, fs_type; +type fuse, sdcard_type, fs_type, mlstrustedobject; +type sdcardfs, sdcard_type, fs_type, mlstrustedobject; +type vfat, sdcard_type, fs_type, mlstrustedobject; +type debugfs, fs_type, debugfs_type; +type debugfs_mmc, fs_type, debugfs_type; +type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; +type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject; +type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject; +type debugfs_tracing_instances, fs_type, debugfs_type; +type debugfs_wakeup_sources, fs_type, debugfs_type; +type debugfs_wifi_tracing, fs_type, debugfs_type; + +type pstorefs, fs_type; +type functionfs, fs_type, mlstrustedobject; +type oemfs, fs_type, contextmount_type; +type usbfs, fs_type; +type binfmt_miscfs, fs_type; +type app_fusefs, fs_type, contextmount_type; + +# File types +type unlabeled, file_type; + +# Default type for anything under /system. +type system_file, file_type; + +# Default type for directories search for +# HAL implementations +type vendor_hal_file, vendor_file_type, file_type; +# Default type for under /vendor or /system/vendor +type vendor_file, vendor_file_type, file_type; +# Default type for everything in /vendor/app +type vendor_app_file, vendor_file_type, file_type; +# Default type for everything under /vendor/etc/ +type vendor_configs_file, vendor_file_type, file_type; +# Default type for all *same process* HALs. +# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so +type same_process_hal_file, vendor_file_type, file_type; +# Default type for vndk-sp libs. /vendor/lib/vndk-sp +type vndk_sp_file, vendor_file_type, file_type; +# Default type for everything in /vendor/framework +type vendor_framework_file, vendor_file_type, file_type; +# Default type for everything in /vendor/overlay +type vendor_overlay_file, vendor_file_type, file_type; + +# /metadata subdirectories +type vold_metadata_file, file_type; + +# Speedup access for trusted applications to the runtime event tags +type runtime_event_log_tags_file, file_type; +# Type for /system/bin/logcat. +type logcat_exec, exec_type, file_type; +# /cores for coredumps on userdebug / eng builds +type coredump_file, file_type; +# Default type for anything under /data. +type system_data_file, file_type, data_file_type, core_data_file_type; +# Default type for anything under /data/vendor{_ce,_de}. +type vendor_data_file, file_type, data_file_type; +# Unencrypted data +type unencrypted_data_file, file_type, data_file_type, core_data_file_type; +# /data/.layout_version or other installd-created files that +# are created in a system_data_file directory. +type install_data_file, file_type, data_file_type, core_data_file_type; +# /data/drm - DRM plugin data +type drm_data_file, file_type, data_file_type, core_data_file_type; +# /data/adb - adb debugging files +type adb_data_file, file_type, data_file_type, core_data_file_type; +# /data/anr - ANR traces +type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/tombstones - core dumps +type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/vendor/tombstones/wifi - vendor wifi dumps +type tombstone_wifi_data_file, file_type, data_file_type; +# /data/app - user-installed apps +type apk_data_file, file_type, data_file_type, core_data_file_type; +type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/app-private - forward-locked apps +type apk_private_data_file, file_type, data_file_type, core_data_file_type; +type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/dalvik-cache +type dalvikcache_data_file, file_type, data_file_type, core_data_file_type; +# /data/ota +type ota_data_file, file_type, data_file_type, core_data_file_type; +# /data/ota_package +type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/misc/profiles +type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/misc/profman +type profman_dump_data_file, file_type, data_file_type, core_data_file_type; +# /data/resource-cache +type resourcecache_data_file, file_type, data_file_type, core_data_file_type; +# /data/local - writable by shell +type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/property +type property_data_file, file_type, data_file_type, core_data_file_type; +# /data/bootchart +type bootchart_data_file, file_type, data_file_type, core_data_file_type; +# /data/system/heapdump +type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/nativetest +type nativetest_data_file, file_type, data_file_type, core_data_file_type; +# /data/system_de/0/ringtones +type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# /data/preloads +type preloads_data_file, file_type, data_file_type, core_data_file_type; +# /data/preloads/media +type preloads_media_file, file_type, data_file_type, core_data_file_type; +# /data/misc/dhcp and /data/misc/dhcp-6.8.2 +type dhcp_data_file, file_type, data_file_type, core_data_file_type; + +# Mount locations managed by vold +type mnt_media_rw_file, file_type; +type mnt_user_file, file_type; +type mnt_expand_file, file_type; +type storage_file, file_type; + +# Label for storage dirs which are just mount stubs +type mnt_media_rw_stub_file, file_type; +type storage_stub_file, file_type; + +# /postinstall: Mount point used by update_engine to run postinstall. +type postinstall_mnt_dir, file_type; +# Files inside the /postinstall mountpoint are all labeled as postinstall_file. +type postinstall_file, file_type; + +# /data/misc subdirectories +type adb_keys_file, file_type, data_file_type, core_data_file_type; +type audio_data_file, file_type, data_file_type, core_data_file_type; +type audioserver_data_file, file_type, data_file_type, core_data_file_type; +type bluetooth_data_file, file_type, data_file_type, core_data_file_type; +type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type; +type bootstat_data_file, file_type, data_file_type, core_data_file_type; +type boottrace_data_file, file_type, data_file_type, core_data_file_type; +type camera_data_file, file_type, data_file_type, core_data_file_type; +type gatekeeper_data_file, file_type, data_file_type, core_data_file_type; +type incident_data_file, file_type, data_file_type, core_data_file_type; +type keychain_data_file, file_type, data_file_type, core_data_file_type; +type keystore_data_file, file_type, data_file_type, core_data_file_type; +type media_data_file, file_type, data_file_type, core_data_file_type; +type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +type misc_user_data_file, file_type, data_file_type, core_data_file_type; +type net_data_file, file_type, data_file_type, core_data_file_type; +type network_watchlist_data_file, file_type, data_file_type, core_data_file_type; +type nfc_data_file, file_type, data_file_type, core_data_file_type; +type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +type recovery_data_file, file_type, data_file_type, core_data_file_type; +type shared_relro_file, file_type, data_file_type, core_data_file_type; +type systemkeys_data_file, file_type, data_file_type, core_data_file_type; +type textclassifier_data_file, file_type, data_file_type, core_data_file_type; +type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +type vpn_data_file, file_type, data_file_type, core_data_file_type; +type wifi_data_file, file_type, data_file_type, core_data_file_type; +type zoneinfo_data_file, file_type, data_file_type, core_data_file_type; +type vold_data_file, file_type, data_file_type, core_data_file_type; +type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +type tee_data_file, file_type, data_file_type; +type update_engine_data_file, file_type, data_file_type, core_data_file_type; +type update_engine_log_data_file, file_type, data_file_type, core_data_file_type; +# /data/misc/trace for method traces on userdebug / eng builds +type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; + +# /data/data subdirectories - app sandboxes +type app_data_file, file_type, data_file_type, core_data_file_type; +# /data/data subdirectory for system UID apps. +type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Compatibility with type name used in Android 4.3 and 4.4. +# Default type for anything under /cache +type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Type for /cache/backup_stage/* (fd interchange with apps) +type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# type for anything under /cache/backup (local transport storage) +type cache_private_backup_file, file_type, data_file_type, core_data_file_type; +# Type for anything under /cache/recovery +type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Default type for anything under /efs +type efs_file, file_type; +# Type for wallpaper file. +type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Type for shortcut manager icon file. +type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Type for user icon file. +type icon_file, file_type, data_file_type, core_data_file_type; +# /mnt/asec +type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# Elements of asec files (/mnt/asec) that are world readable +type asec_public_file, file_type, data_file_type, core_data_file_type; +# /data/app-asec +type asec_image_file, file_type, data_file_type, core_data_file_type; +# /data/backup and /data/secure/backup +type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +# All devices have bluetooth efs files. But they +# vary per device, so this type is used in per +# device policy +type bluetooth_efs_file, file_type; +# Type for fingerprint template file +type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; +# Type for _new_ fingerprint template file +type fingerprint_vendor_data_file, file_type, data_file_type; +# Type for appfuse file. +type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; + +# Socket types +type adbd_socket, file_type, coredomain_socket; +type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; +type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; +type dumpstate_socket, file_type, coredomain_socket; +type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; +type lmkd_socket, file_type, coredomain_socket; +type logd_socket, file_type, coredomain_socket, mlstrustedobject; +type logdr_socket, file_type, coredomain_socket, mlstrustedobject; +type logdw_socket, file_type, coredomain_socket, mlstrustedobject; +type mdns_socket, file_type, coredomain_socket; +type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; +type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type; +type mtpd_socket, file_type, coredomain_socket; +type netd_socket, file_type, coredomain_socket; +type property_socket, file_type, coredomain_socket, mlstrustedobject; +type racoon_socket, file_type, coredomain_socket; +type rild_socket, file_type; +type rild_debug_socket, file_type; +type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; +type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; +type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; +type tombstoned_java_trace_socket, file_type, mlstrustedobject; +type tombstoned_intercept_socket, file_type, coredomain_socket; +type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject; +type traced_consumer_socket, file_type, coredomain_socket; +type uncrypt_socket, file_type, coredomain_socket; +type wpa_socket, file_type, data_file_type, core_data_file_type; +type zygote_socket, file_type, coredomain_socket; +# UART (for GPS) control proc file +type gps_control, file_type; + +# PDX endpoint types +type pdx_display_dir, pdx_endpoint_dir_type, file_type; +type pdx_performance_dir, pdx_endpoint_dir_type, file_type; +type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type; + +pdx_service_socket_types(display_client, pdx_display_dir) +pdx_service_socket_types(display_manager, pdx_display_dir) +pdx_service_socket_types(display_screenshot, pdx_display_dir) +pdx_service_socket_types(display_vsync, pdx_display_dir) +pdx_service_socket_types(performance_client, pdx_performance_dir) +pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir) + +# file_contexts files +type file_contexts_file, file_type; + +# mac_permissions file +type mac_perms_file, file_type; + +# property_contexts file +type property_contexts_file, file_type; + +# seapp_contexts file +type seapp_contexts_file, file_type; + +# sepolicy files binary and others +type sepolicy_file, file_type; + +# service_contexts file +type service_contexts_file, file_type; + +# nonplat service_contexts file (only accessible on non full-treble devices) +type nonplat_service_contexts_file, file_type; + +# hwservice_contexts file +type hwservice_contexts_file, file_type; + +# vndservice_contexts file +type vndservice_contexts_file, file_type; + +# Allow files to be created in their appropriate filesystems. +allow fs_type self:filesystem associate; +allow cgroup tmpfs:filesystem associate; +allow cgroup_bpf tmpfs:filesystem associate; +allow sysfs_type sysfs:filesystem associate; +allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; +allow file_type labeledfs:filesystem associate; +allow file_type tmpfs:filesystem associate; +allow file_type rootfs:filesystem associate; +allow dev_type tmpfs:filesystem associate; +allow app_fuse_file app_fusefs:filesystem associate; +allow postinstall_file self:filesystem associate; + +# asanwrapper (run a sanitized app_process, to be used with wrap properties) +with_asan(`type asanwrapper_exec, exec_type, file_type;') + +# Deprecated in SDK version 28 +type audiohal_data_file, file_type, data_file_type, core_data_file_type; + +# It's a bug to assign the file_type attribute and fs_type attribute +# to any type. Do not allow it. +# +# For example, the following is a bug: +# type apk_data_file, file_type, data_file_type, fs_type; +# Should be: +# type apk_data_file, file_type, data_file_type; +neverallow fs_type file_type:filesystem associate; diff --git a/prebuilts/api/28.0/public/fingerprintd.te b/prebuilts/api/28.0/public/fingerprintd.te new file mode 100644 index 000000000..2dc110721 --- /dev/null +++ b/prebuilts/api/28.0/public/fingerprintd.te @@ -0,0 +1,26 @@ +type fingerprintd, domain; +type fingerprintd_exec, exec_type, file_type; + +binder_use(fingerprintd) + +# Scan through /system/lib64/hw looking for installed HALs +allow fingerprintd system_file:dir r_dir_perms; + +# need to find KeyStore and add self +add_service(fingerprintd, fingerprintd_service) + +# allow HAL module to read dir contents +allow fingerprintd fingerprintd_data_file:file { create_file_perms }; + +# allow HAL module to read/write/unlink contents of this dir +allow fingerprintd fingerprintd_data_file:dir rw_dir_perms; + +# Need to add auth tokens to KeyStore +use_keystore(fingerprintd) +allow fingerprintd keystore:keystore_key { add_auth }; + +# For permissions checking +binder_call(fingerprintd, system_server); +allow fingerprintd permission_service:service_manager find; + +allow fingerprintd ion_device:chr_file r_file_perms; diff --git a/prebuilts/api/28.0/public/fsck.te b/prebuilts/api/28.0/public/fsck.te new file mode 100644 index 000000000..c5219d8ab --- /dev/null +++ b/prebuilts/api/28.0/public/fsck.te @@ -0,0 +1,57 @@ +# Any fsck program run by init +type fsck, domain; +type fsck_exec, exec_type, file_type; + +# /dev/__null__ created by init prior to policy load, +# open fd inherited by fsck. +allow fsck tmpfs:chr_file { read write ioctl }; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow fsck devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow fsck vold:fd use; +allow fsck vold:fifo_file { read write getattr }; + +# Run fsck on certain block devices +allow fsck block_device:dir search; +allow fsck userdata_block_device:blk_file rw_file_perms; +allow fsck cache_block_device:blk_file rw_file_perms; +allow fsck dm_device:blk_file rw_file_perms; + +# To determine if it is safe to run fsck on a filesystem, e2fsck +# must first determine if the filesystem is mounted. To do that, +# e2fsck scans through /proc/mounts and collects all the mounted +# block devices. With that information, it runs stat() on each block +# device, comparing the major and minor numbers to the filesystem +# passed in on the command line. If there is a match, then the filesystem +# is currently mounted and running fsck is dangerous. +# Allow stat access to all block devices so that fsck can compare +# major/minor values. +allow fsck dev_type:blk_file getattr; + +allow fsck { + proc_mounts + proc_swaps +}:file r_file_perms; +allow fsck rootfs:dir r_dir_perms; + +### +### neverallow rules +### + +# fsck should never be run on these block devices +neverallow fsck { + boot_block_device + frp_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + vold_device +}:blk_file no_rw_file_perms; + +# Only allow entry from init or vold via fsck binaries +neverallow { domain -init -vold } fsck:process transition; +neverallow * fsck:process dyntransition; +neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint; diff --git a/prebuilts/api/28.0/public/fsck_untrusted.te b/prebuilts/api/28.0/public/fsck_untrusted.te new file mode 100644 index 000000000..8510c9424 --- /dev/null +++ b/prebuilts/api/28.0/public/fsck_untrusted.te @@ -0,0 +1,49 @@ +# Any fsck program run on untrusted block devices +type fsck_untrusted, domain; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow fsck_untrusted vold:fd use; +allow fsck_untrusted vold:fifo_file { read write getattr }; + +# Run fsck on vold block devices +allow fsck_untrusted block_device:dir search; +allow fsck_untrusted vold_device:blk_file rw_file_perms; + +allow fsck_untrusted proc_mounts:file r_file_perms; + +# To determine if it is safe to run fsck on a filesystem, e2fsck +# must first determine if the filesystem is mounted. To do that, +# e2fsck scans through /proc/mounts and collects all the mounted +# block devices. With that information, it runs stat() on each block +# device, comparing the major and minor numbers to the filesystem +# passed in on the command line. If there is a match, then the filesystem +# is currently mounted and running fsck is dangerous. +# Allow stat access to all block devices so that fsck can compare +# major/minor values. +allow fsck_untrusted dev_type:blk_file getattr; + +### +### neverallow rules +### + +# Untrusted fsck should never be run on block devices holding sensitive data +neverallow fsck_untrusted { + boot_block_device + frp_block_device + metadata_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + userdata_block_device + cache_block_device + dm_device +}:blk_file no_rw_file_perms; + +# Only allow entry from vold via fsck binaries +neverallow { domain -vold } fsck_untrusted:process transition; +neverallow * fsck_untrusted:process dyntransition; +neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; diff --git a/prebuilts/api/28.0/public/gatekeeperd.te b/prebuilts/api/28.0/public/gatekeeperd.te new file mode 100644 index 000000000..2fc36279d --- /dev/null +++ b/prebuilts/api/28.0/public/gatekeeperd.te @@ -0,0 +1,39 @@ +type gatekeeperd, domain; +type gatekeeperd_exec, exec_type, file_type; + +# gatekeeperd +binder_service(gatekeeperd) +binder_use(gatekeeperd) + +### Rules needed when Gatekeeper HAL runs inside gatekeeperd process. +### These rules should eventually be granted only when needed. +allow gatekeeperd tee_device:chr_file rw_file_perms; +allow gatekeeperd ion_device:chr_file r_file_perms; +# Load HAL implementation +allow gatekeeperd system_file:dir r_dir_perms; +### + +### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process. +### These rules should eventually be granted only when needed. +hal_client_domain(gatekeeperd, hal_gatekeeper) +### + +# need to find KeyStore and add self +add_service(gatekeeperd, gatekeeper_service) + +# Need to add auth tokens to KeyStore +use_keystore(gatekeeperd) +allow gatekeeperd keystore:keystore_key { add_auth }; + +# For permissions checking +allow gatekeeperd system_server:binder call; +allow gatekeeperd permission_service:service_manager find; + +# for SID file access +allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms; +allow gatekeeperd gatekeeper_data_file:file create_file_perms; + +# For hardware properties retrieval +allow gatekeeperd hardware_properties_service:service_manager find; + +r_dir_file(gatekeeperd, cgroup) diff --git a/prebuilts/api/28.0/public/global_macros b/prebuilts/api/28.0/public/global_macros new file mode 100644 index 000000000..5dab5ab0c --- /dev/null +++ b/prebuilts/api/28.0/public/global_macros @@ -0,0 +1,50 @@ +##################################### +# Common groupings of object classes. +# +define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }') +define(`global_capability_class_set', `{ capability cap_userns }') +define(`global_capability2_class_set', `{ capability2 cap2_userns }') + +define(`devfile_class_set', `{ chr_file blk_file }') +define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') +define(`file_class_set', `{ devfile_class_set notdevfile_class_set }') +define(`dir_file_class_set', `{ dir file_class_set }') + +define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }') +define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') + +define(`ipc_class_set', `{ sem msgq shm ipc }') + +##################################### +# Common groupings of permissions. +# +define(`x_file_perms', `{ getattr execute execute_no_trans map }') +define(`r_file_perms', `{ getattr open read ioctl lock map }') +define(`w_file_perms', `{ open append write lock map }') +define(`rx_file_perms', `{ r_file_perms x_file_perms }') +define(`ra_file_perms', `{ r_file_perms append }') +define(`rw_file_perms', `{ r_file_perms w_file_perms }') +define(`rwx_file_perms', `{ rw_file_perms x_file_perms }') +define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }') + +define(`r_dir_perms', `{ open getattr read search ioctl lock }') +define(`w_dir_perms', `{ open search write add_name remove_name lock }') +define(`ra_dir_perms', `{ r_dir_perms add_name write }') +define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }') +define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }') + +define(`r_ipc_perms', `{ getattr read associate unix_read }') +define(`w_ipc_perms', `{ write unix_write }') +define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }') +define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }') + +##################################### +# Common socket permission sets. +define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }') +define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }') +define(`create_socket_perms', `{ create rw_socket_perms }') +define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }') +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') +define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }') diff --git a/prebuilts/api/28.0/public/hal_allocator.te b/prebuilts/api/28.0/public/hal_allocator.te new file mode 100644 index 000000000..646cebdeb --- /dev/null +++ b/prebuilts/api/28.0/public/hal_allocator.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server +binder_call(hal_allocator_client, hal_allocator_server) + +add_hwservice(hal_allocator_server, hidl_allocator_hwservice) +allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find; +allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_audio.te b/prebuilts/api/28.0/public/hal_audio.te new file mode 100644 index 000000000..037066ea8 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_audio.te @@ -0,0 +1,38 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_audio_client, hal_audio_server) +binder_call(hal_audio_server, hal_audio_client) + +add_hwservice(hal_audio_server, hal_audio_hwservice) +allow hal_audio_client hal_audio_hwservice:hwservice_manager find; + +allow hal_audio ion_device:chr_file r_file_perms; + +r_dir_file(hal_audio, proc) +r_dir_file(hal_audio, proc_asound) +allow hal_audio_server audio_device:dir r_dir_perms; +allow hal_audio_server audio_device:chr_file rw_file_perms; + +# Needed to provide debug dump output via dumpsys' pipes. +allow hal_audio shell:fd use; +allow hal_audio shell:fifo_file write; +allow hal_audio dumpstate:fd use; +allow hal_audio dumpstate:fifo_file write; + +# allow hal audio to use vnbinder +vndbinder_use(hal_audio) + +### +### neverallow rules +### + +# Should never execute any executable without a domain transition +neverallow hal_audio_server { file_type fs_type }:file execute_no_trans; + +# Should never need network access. +# Disallow network sockets. +neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *; + +# Only audio HAL may directly access the audio hardware +neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *; + +get_prop(hal_audio, bluetooth_a2dp_offload_prop) diff --git a/prebuilts/api/28.0/public/hal_authsecret.te b/prebuilts/api/28.0/public/hal_authsecret.te new file mode 100644 index 000000000..81b0c0445 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_authsecret.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server +binder_call(hal_authsecret_client, hal_authsecret_server) + +add_hwservice(hal_authsecret_server, hal_authsecret_hwservice) +allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_bluetooth.te b/prebuilts/api/28.0/public/hal_bluetooth.te new file mode 100644 index 000000000..373dbec6b --- /dev/null +++ b/prebuilts/api/28.0/public/hal_bluetooth.te @@ -0,0 +1,32 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_bluetooth_client, hal_bluetooth_server) +binder_call(hal_bluetooth_server, hal_bluetooth_client) + +add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice) +allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find; + +wakelock_use(hal_bluetooth); + +# The HAL toggles rfkill to power the chip off/on. +allow hal_bluetooth self:global_capability_class_set net_admin; + +# bluetooth factory file accesses. +r_dir_file(hal_bluetooth, bluetooth_efs_file) + +allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms; + +# sysfs access. +r_dir_file(hal_bluetooth, sysfs_type) +allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms; +allow hal_bluetooth self:global_capability2_class_set wake_alarm; + +# Allow write access to bluetooth-specific properties +set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop) +set_prop(hal_bluetooth, bluetooth_prop) +set_prop(hal_bluetooth, exported_bluetooth_prop) + +# /proc access (bluesleep etc.). +allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms; + +# allow to run with real-time scheduling policy +allow hal_bluetooth self:global_capability_class_set sys_nice; diff --git a/prebuilts/api/28.0/public/hal_bootctl.te b/prebuilts/api/28.0/public/hal_bootctl.te new file mode 100644 index 000000000..181de4a9c --- /dev/null +++ b/prebuilts/api/28.0/public/hal_bootctl.te @@ -0,0 +1,8 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_bootctl_client, hal_bootctl_server) +binder_call(hal_bootctl_server, hal_bootctl_client) + +add_hwservice(hal_bootctl_server, hal_bootctl_hwservice) +allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find; + +dontaudit hal_bootctl self:capability sys_rawio; diff --git a/prebuilts/api/28.0/public/hal_broadcastradio.te b/prebuilts/api/28.0/public/hal_broadcastradio.te new file mode 100644 index 000000000..24d4908e1 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_broadcastradio.te @@ -0,0 +1,4 @@ +binder_call(hal_broadcastradio_client, hal_broadcastradio_server) + +add_hwservice(hal_broadcastradio_server, hal_broadcastradio_hwservice) +allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_camera.te b/prebuilts/api/28.0/public/hal_camera.te new file mode 100644 index 000000000..8fe744214 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_camera.te @@ -0,0 +1,33 @@ +# HwBinder IPC from clients to server and callbacks +binder_call(hal_camera_client, hal_camera_server) +binder_call(hal_camera_server, hal_camera_client) + +add_hwservice(hal_camera_server, hal_camera_hwservice) +allow hal_camera_client hal_camera_hwservice:hwservice_manager find; + +allow hal_camera device:dir r_dir_perms; +allow hal_camera video_device:dir r_dir_perms; +allow hal_camera video_device:chr_file rw_file_perms; +allow hal_camera camera_device:chr_file rw_file_perms; +allow hal_camera ion_device:chr_file rw_file_perms; +# Both the client and the server need to use the graphics allocator +allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use; + +# Allow hal_camera to use fd from app,gralloc,and ashmem HAL +allow hal_camera { appdomain -isolated_app }:fd use; +allow hal_camera surfaceflinger:fd use; +allow hal_camera hal_allocator_server:fd use; + +### +### neverallow rules +### + +# hal_camera should never execute any executable without a +# domain transition +neverallow hal_camera_server { file_type fs_type }:file execute_no_trans; + +# hal_camera should never need network access. Disallow network sockets. +neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *; + +# Only camera HAL may directly access the camera hardware +neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *; diff --git a/prebuilts/api/28.0/public/hal_cas.te b/prebuilts/api/28.0/public/hal_cas.te new file mode 100644 index 000000000..7f6535858 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_cas.te @@ -0,0 +1,35 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_cas_client, hal_cas_server) +binder_call(hal_cas_server, hal_cas_client) + +add_hwservice(hal_cas_server, hal_cas_hwservice) +allow hal_cas_client hal_cas_hwservice:hwservice_manager find; +allow hal_cas_server hidl_memory_hwservice:hwservice_manager find; + +# Permit reading device's serial number from system properties +get_prop(hal_cas_server, serialno_prop) + +# Read files already opened under /data +allow hal_cas system_data_file:file { getattr read }; + +# Read access to pseudo filesystems +r_dir_file(hal_cas, cgroup) +allow hal_cas cgroup:dir { search write }; +allow hal_cas cgroup:file w_file_perms; + +# Allow access to ion memory allocation device +allow hal_cas ion_device:chr_file rw_file_perms; +allow hal_cas hal_graphics_allocator:fd use; + +allow hal_cas tee_device:chr_file rw_file_perms; + +### +### neverallow rules +### + +# hal_cas should never execute any executable without a +# domain transition +neverallow hal_cas_server { file_type fs_type }:file execute_no_trans; + +# do not allow privileged socket ioctl commands +neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; diff --git a/prebuilts/api/28.0/public/hal_configstore.te b/prebuilts/api/28.0/public/hal_configstore.te new file mode 100644 index 000000000..d5f2ef6fe --- /dev/null +++ b/prebuilts/api/28.0/public/hal_configstore.te @@ -0,0 +1,64 @@ +# HwBinder IPC from client to server +binder_call(hal_configstore_client, hal_configstore_server) + +allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find; + +add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs) +# As opposed to the rules of most other HALs, the different services exposed by +# this HAL should be restricted to different clients. Thus, the allow rules for +# clients are defined in the .te files of the clients. + +# hal_configstore runs with a strict seccomp filter. Use crash_dump's +# fallback path to collect crash data. +crash_dump_fallback(hal_configstore_server) + +### +### neverallow rules +### + +# Should never execute an executable without a domain transition +neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans; + +# Should never need network access. Disallow sockets except for +# for unix stream/dgram sockets used for logging/debugging. +neverallow hal_configstore_server domain:{ + rawip_socket tcp_socket udp_socket + netlink_route_socket netlink_selinux_socket + socket netlink_socket packet_socket key_socket appletalk_socket + netlink_tcpdiag_socket netlink_nflog_socket + netlink_xfrm_socket netlink_audit_socket + netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket + netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket + netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket + netlink_rdma_socket netlink_crypto_socket +} *; +neverallow hal_configstore_server { + domain + -hal_configstore_server + -logd + userdebug_or_eng(`-su') + -tombstoned +}:{ unix_dgram_socket unix_stream_socket } *; + +# Should never need access to anything on /data +neverallow hal_configstore_server { + data_file_type + -anr_data_file # for crash dump collection + -tombstone_data_file # for crash dump collection + -zoneinfo_data_file # granted to domain +}:{ file fifo_file sock_file } *; + +# Should never need sdcard access +neverallow hal_configstore_server { fuse sdcardfs vfat }:file *; + +# Do not permit access to service_manager and vndservice_manager +neverallow hal_configstore_server *:service_manager *; + +# No privileged capabilities +neverallow hal_configstore_server self:capability_class_set *; + +# No ptracing other processes +neverallow hal_configstore_server *:process ptrace; + +# no relabeling +neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto }; diff --git a/prebuilts/api/28.0/public/hal_confirmationui.te b/prebuilts/api/28.0/public/hal_confirmationui.te new file mode 100644 index 000000000..228e86496 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_confirmationui.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server +binder_call(hal_confirmationui_client, hal_confirmationui_server) + +add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice) +allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_contexthub.te b/prebuilts/api/28.0/public/hal_contexthub.te new file mode 100644 index 000000000..f11bfc816 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_contexthub.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_contexthub_client, hal_contexthub_server) +binder_call(hal_contexthub_server, hal_contexthub_client) + +add_hwservice(hal_contexthub_server, hal_contexthub_hwservice) +allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_drm.te b/prebuilts/api/28.0/public/hal_drm.te new file mode 100644 index 000000000..a46dd9116 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_drm.te @@ -0,0 +1,53 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_drm_client, hal_drm_server) +binder_call(hal_drm_server, hal_drm_client) + +add_hwservice(hal_drm_server, hal_drm_hwservice) +allow hal_drm_client hal_drm_hwservice:hwservice_manager find; + +allow hal_drm hidl_memory_hwservice:hwservice_manager find; + +# Required by Widevine DRM (b/22990512) +allow hal_drm self:process execmem; + +# Permit reading device's serial number from system properties +get_prop(hal_drm, serialno_prop) + +# System file accesses +allow hal_drm system_file:dir r_dir_perms; +allow hal_drm system_file:file r_file_perms; +allow hal_drm system_file:lnk_file r_file_perms; + +# Read files already opened under /data +allow hal_drm system_data_file:file { getattr read }; + +# Read access to pseudo filesystems +r_dir_file(hal_drm, cgroup) +allow hal_drm cgroup:dir { search write }; +allow hal_drm cgroup:file w_file_perms; + +# Allow access to ion memory allocation device +allow hal_drm ion_device:chr_file rw_file_perms; +allow hal_drm hal_graphics_allocator:fd use; + +# Allow access to fds allocated by mediaserver +allow hal_drm mediaserver:fd use; + +allow hal_drm sysfs:file r_file_perms; + +allow hal_drm tee_device:chr_file rw_file_perms; + +# only allow unprivileged socket ioctl commands +allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket } + ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; + +### +### neverallow rules +### + +# hal_drm should never execute any executable without a +# domain transition +neverallow hal_drm_server { file_type fs_type }:file execute_no_trans; + +# do not allow privileged socket ioctl commands +neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; diff --git a/prebuilts/api/28.0/public/hal_dumpstate.te b/prebuilts/api/28.0/public/hal_dumpstate.te new file mode 100644 index 000000000..2853567e0 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_dumpstate.te @@ -0,0 +1,11 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_dumpstate_client, hal_dumpstate_server) +binder_call(hal_dumpstate_server, hal_dumpstate_client) + +add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice) +allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find; + +# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport +allow hal_dumpstate shell_data_file:file write; +# allow reading /proc/interrupts for all hal impls +allow hal_dumpstate proc_interrupts:file r_file_perms; diff --git a/prebuilts/api/28.0/public/hal_fingerprint.te b/prebuilts/api/28.0/public/hal_fingerprint.te new file mode 100644 index 000000000..ebe0b0c82 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_fingerprint.te @@ -0,0 +1,17 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_fingerprint_client, hal_fingerprint_server) +binder_call(hal_fingerprint_server, hal_fingerprint_client) + +add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice) +allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find; + +# For memory allocation +allow hal_fingerprint ion_device:chr_file r_file_perms; + +allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms }; +allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms; + +r_dir_file(hal_fingerprint, cgroup) +r_dir_file(hal_fingerprint, sysfs) + + diff --git a/prebuilts/api/28.0/public/hal_gatekeeper.te b/prebuilts/api/28.0/public/hal_gatekeeper.te new file mode 100644 index 000000000..123acf567 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_gatekeeper.te @@ -0,0 +1,8 @@ +binder_call(hal_gatekeeper_client, hal_gatekeeper_server) + +add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice) +allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find; + +# TEE access. +allow hal_gatekeeper tee_device:chr_file rw_file_perms; +allow hal_gatekeeper ion_device:chr_file r_file_perms; diff --git a/prebuilts/api/28.0/public/hal_gnss.te b/prebuilts/api/28.0/public/hal_gnss.te new file mode 100644 index 000000000..b59cd1d5a --- /dev/null +++ b/prebuilts/api/28.0/public/hal_gnss.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_gnss_client, hal_gnss_server) +binder_call(hal_gnss_server, hal_gnss_client) + +add_hwservice(hal_gnss_server, hal_gnss_hwservice) +allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_graphics_allocator.te b/prebuilts/api/28.0/public/hal_graphics_allocator.te new file mode 100644 index 000000000..e2b04ae83 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_graphics_allocator.te @@ -0,0 +1,13 @@ +# HwBinder IPC from client to server +binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server) + +add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice) +allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find; +allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find; + +# GPU device access +allow hal_graphics_allocator gpu_device:chr_file rw_file_perms; +allow hal_graphics_allocator ion_device:chr_file r_file_perms; + +# allow to run with real-time scheduling policy +allow hal_graphics_allocator self:global_capability_class_set sys_nice; diff --git a/prebuilts/api/28.0/public/hal_graphics_composer.te b/prebuilts/api/28.0/public/hal_graphics_composer.te new file mode 100644 index 000000000..2df461249 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_graphics_composer.te @@ -0,0 +1,26 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_graphics_composer_client, hal_graphics_composer_server) +binder_call(hal_graphics_composer_server, hal_graphics_composer_client) + +add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice) +allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find; + +# Coordinate with hal_graphics_mapper +allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find; + +# GPU device access +allow hal_graphics_composer gpu_device:chr_file rw_file_perms; +allow hal_graphics_composer ion_device:chr_file r_file_perms; +allow hal_graphics_composer hal_graphics_allocator:fd use; + +# Access /dev/graphics/fb0. +allow hal_graphics_composer graphics_device:dir search; +allow hal_graphics_composer graphics_device:chr_file rw_file_perms; + +# Fences +allow hal_graphics_composer system_server:fd use; +allow hal_graphics_composer bootanim:fd use; +allow hal_graphics_composer appdomain:fd use; + +# allow self to set SCHED_FIFO +allow hal_graphics_composer self:global_capability_class_set sys_nice; diff --git a/prebuilts/api/28.0/public/hal_health.te b/prebuilts/api/28.0/public/hal_health.te new file mode 100644 index 000000000..c0a0f804c --- /dev/null +++ b/prebuilts/api/28.0/public/hal_health.te @@ -0,0 +1,30 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_health_client, hal_health_server) +binder_call(hal_health_server, hal_health_client) + +add_hwservice(hal_health_server, hal_health_hwservice) +allow hal_health_client hal_health_hwservice:hwservice_manager find; + +# Read access to system files for HALs in +# /{system,vendor,odm}/lib[64]/hw/ in order +# to be able to open the hal implementation .so files +r_dir_file(hal_health, system_file) + +# Common rules for a health service. + +# Allow to listen to uevents for updates +allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Allow to read /sys/class/power_supply directory +allow hal_health_server sysfs:dir r_dir_perms; + +# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks +# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health +# HAL service. +r_dir_file(hal_health_server, sysfs_batteryinfo) + +# Allow to wake up to send periodic events +wakelock_use(hal_health_server) + +# Write to /dev/kmsg +allow hal_health_server kmsg_device:chr_file w_file_perms; diff --git a/prebuilts/api/28.0/public/hal_ir.te b/prebuilts/api/28.0/public/hal_ir.te new file mode 100644 index 000000000..b1bfdd804 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_ir.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_ir_client, hal_ir_server) +binder_call(hal_ir_server, hal_ir_client) + +add_hwservice(hal_ir_server, hal_ir_hwservice) +allow hal_ir_client hal_ir_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_keymaster.te b/prebuilts/api/28.0/public/hal_keymaster.te new file mode 100644 index 000000000..dc5f6d01d --- /dev/null +++ b/prebuilts/api/28.0/public/hal_keymaster.te @@ -0,0 +1,8 @@ +# HwBinder IPC from client to server +binder_call(hal_keymaster_client, hal_keymaster_server) + +add_hwservice(hal_keymaster_server, hal_keymaster_hwservice) +allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find; + +allow hal_keymaster tee_device:chr_file rw_file_perms; +allow hal_keymaster ion_device:chr_file r_file_perms; diff --git a/prebuilts/api/28.0/public/hal_light.te b/prebuilts/api/28.0/public/hal_light.te new file mode 100644 index 000000000..5b93dd115 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_light.te @@ -0,0 +1,10 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_light_client, hal_light_server) +binder_call(hal_light_server, hal_light_client) + +add_hwservice(hal_light_server, hal_light_hwservice) +allow hal_light_client hal_light_hwservice:hwservice_manager find; + +allow hal_light sysfs_leds:lnk_file read; +allow hal_light sysfs_leds:file rw_file_perms; +allow hal_light sysfs_leds:dir r_dir_perms; diff --git a/prebuilts/api/28.0/public/hal_lowpan.te b/prebuilts/api/28.0/public/hal_lowpan.te new file mode 100644 index 000000000..af491b159 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_lowpan.te @@ -0,0 +1,21 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_lowpan_client, hal_lowpan_server) +binder_call(hal_lowpan_server, hal_lowpan_client) + +add_hwservice(hal_lowpan_server, hal_lowpan_hwservice) + +# Allow hal_lowpan_client to be able to find the hal_lowpan_server +allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find; + +# hal_lowpan domain can write/read to/from lowpan_prop +set_prop(hal_lowpan_server, lowpan_prop) + +# Allow hal_lowpan_server to open lowpan_devices +allow hal_lowpan_server lowpan_device:chr_file rw_file_perms; + +### +### neverallow rules +### + +# Only LoWPAN HAL may directly access LoWPAN hardware +neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr; diff --git a/prebuilts/api/28.0/public/hal_memtrack.te b/prebuilts/api/28.0/public/hal_memtrack.te new file mode 100644 index 000000000..b2cc9cd1e --- /dev/null +++ b/prebuilts/api/28.0/public/hal_memtrack.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server +binder_call(hal_memtrack_client, hal_memtrack_server) + +add_hwservice(hal_memtrack_server, hal_memtrack_hwservice) +allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_neuralnetworks.te b/prebuilts/api/28.0/public/hal_neuralnetworks.te new file mode 100644 index 000000000..c697ac2f2 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_neuralnetworks.te @@ -0,0 +1,8 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server) +binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client) + +add_hwservice(hal_neuralnetworks_server, hal_neuralnetworks_hwservice) +allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find; +allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find; +allow hal_neuralnetworks hal_allocator:fd use; diff --git a/prebuilts/api/28.0/public/hal_neverallows.te b/prebuilts/api/28.0/public/hal_neverallows.te new file mode 100644 index 000000000..017fcce7b --- /dev/null +++ b/prebuilts/api/28.0/public/hal_neverallows.te @@ -0,0 +1,54 @@ +# only HALs responsible for network hardware should have privileged +# network capabilities +neverallow { + halserverdomain + -hal_bluetooth_server + -hal_wifi_server + -hal_wifi_hostapd_server + -hal_wifi_supplicant_server + -hal_telephony_server +} self:global_capability_class_set { net_admin net_raw }; + +# Unless a HAL's job is to communicate over the network, or control network +# hardware, it should not be using network sockets. +neverallow { + halserverdomain + -hal_tetheroffload_server + -hal_wifi_server + -hal_wifi_hostapd_server + -hal_wifi_supplicant_server + -hal_telephony_server +} domain:{ tcp_socket udp_socket rawip_socket } *; + +### +# HALs are defined as an attribute and so a given domain could hypothetically +# have multiple HALs in it (or even all of them) with the subsequent policy of +# the domain comprised of the union of all the HALs. +# +# This is a problem because +# 1) Security sensitive components should only be accessed by specific HALs. +# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in +# the platform. +# 3) The platform cannot reason about defense in depth if there are +# monolithic domains etc. +# +# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while +# its OK for them to share a process its not OK with them to share processes +# with other hals. +# +# The following neverallow rules, in conjuntion with CTS tests, assert that +# these security principles are adhered to. +# +# Do not allow a hal to exec another process without a domain transition. +# TODO remove exemptions. +neverallow { + halserverdomain + -hal_dumpstate_server + -hal_telephony_server +} { file_type fs_type }:file execute_no_trans; +# Do not allow a process other than init to transition into a HAL domain. +neverallow { domain -init } halserverdomain:process transition; +# Only allow transitioning to a domain by running its executable. Do not +# allow transitioning into a HAL domain by use of seclabel in an +# init.*.rc script. +neverallow * halserverdomain:process dyntransition; diff --git a/prebuilts/api/28.0/public/hal_nfc.te b/prebuilts/api/28.0/public/hal_nfc.te new file mode 100644 index 000000000..3bcdf5ee1 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_nfc.te @@ -0,0 +1,12 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_nfc_client, hal_nfc_server) +binder_call(hal_nfc_server, hal_nfc_client) + +add_hwservice(hal_nfc_server, hal_nfc_hwservice) +allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find; + +# Set NFC properties (used by bcm2079x HAL). +set_prop(hal_nfc, nfc_prop) + +# NFC device access. +allow hal_nfc nfc_device:chr_file rw_file_perms; diff --git a/prebuilts/api/28.0/public/hal_oemlock.te b/prebuilts/api/28.0/public/hal_oemlock.te new file mode 100644 index 000000000..3fb5a1871 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_oemlock.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server +binder_call(hal_oemlock_client, hal_oemlock_server) + +add_hwservice(hal_oemlock_server, hal_oemlock_hwservice) +allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_power.te b/prebuilts/api/28.0/public/hal_power.te new file mode 100644 index 000000000..fcba3d25d --- /dev/null +++ b/prebuilts/api/28.0/public/hal_power.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_power_client, hal_power_server) +binder_call(hal_power_server, hal_power_client) + +add_hwservice(hal_power_server, hal_power_hwservice) +allow hal_power_client hal_power_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_secure_element.te b/prebuilts/api/28.0/public/hal_secure_element.te new file mode 100644 index 000000000..e3046d12e --- /dev/null +++ b/prebuilts/api/28.0/public/hal_secure_element.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_secure_element_client, hal_secure_element_server) +binder_call(hal_secure_element_server, hal_secure_element_client) + +add_hwservice(hal_secure_element_server, hal_secure_element_hwservice) +allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_sensors.te b/prebuilts/api/28.0/public/hal_sensors.te new file mode 100644 index 000000000..9d7cbe913 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_sensors.te @@ -0,0 +1,15 @@ +# HwBinder IPC from client to server +binder_call(hal_sensors_client, hal_sensors_server) + +add_hwservice(hal_sensors_server, hal_sensors_hwservice) +allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find; + +# Allow sensor hals to access ashmem memory allocated by apps +allow hal_sensors { appdomain -isolated_app }:fd use; + +# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator +# fd is passed in from framework sensorservice HAL. +allow hal_sensors hal_allocator:fd use; + +# allow to run with real-time scheduling policy +allow hal_sensors self:global_capability_class_set sys_nice; diff --git a/prebuilts/api/28.0/public/hal_telephony.te b/prebuilts/api/28.0/public/hal_telephony.te new file mode 100644 index 000000000..31859aa51 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_telephony.te @@ -0,0 +1,47 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_telephony_client, hal_telephony_server) +binder_call(hal_telephony_server, hal_telephony_client) + +add_hwservice(hal_telephony_server, hal_telephony_hwservice) +allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find; + +allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls; + +allow hal_telephony_server self:netlink_route_socket nlmsg_write; +allow hal_telephony_server kernel:system module_request; +allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw }; +allow hal_telephony_server alarm_device:chr_file rw_file_perms; +allow hal_telephony_server cgroup:dir create_dir_perms; +allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms; +allow hal_telephony_server radio_device:chr_file rw_file_perms; +allow hal_telephony_server radio_device:blk_file r_file_perms; +allow hal_telephony_server mtd_device:dir search; +allow hal_telephony_server efs_file:dir create_dir_perms; +allow hal_telephony_server efs_file:file create_file_perms; +allow hal_telephony_server vendor_shell_exec:file rx_file_perms; +allow hal_telephony_server bluetooth_efs_file:file r_file_perms; +allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms; +allow hal_telephony_server sdcard_type:dir r_dir_perms; + +# property service +set_prop(hal_telephony_server, radio_prop) +set_prop(hal_telephony_server, exported_radio_prop) +set_prop(hal_telephony_server, exported2_radio_prop) +set_prop(hal_telephony_server, exported3_radio_prop) + +allow hal_telephony_server tty_device:chr_file rw_file_perms; + +# Allow hal_telephony_server to create and use netlink sockets. +allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl; +allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl; +allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Access to wake locks +wakelock_use(hal_telephony_server) + +r_dir_file(hal_telephony_server, proc_net) +r_dir_file(hal_telephony_server, sysfs_type) +r_dir_file(hal_telephony_server, system_file) + +# granting the ioctl permission for hal_telephony_server should be device specific +allow hal_telephony_server self:socket create_socket_perms_no_ioctl; diff --git a/prebuilts/api/28.0/public/hal_tetheroffload.te b/prebuilts/api/28.0/public/hal_tetheroffload.te new file mode 100644 index 000000000..48d67a29b --- /dev/null +++ b/prebuilts/api/28.0/public/hal_tetheroffload.te @@ -0,0 +1,8 @@ +## HwBinder IPC from client to server, and callbacks +binder_call(hal_tetheroffload_client, hal_tetheroffload_server) +binder_call(hal_tetheroffload_server, hal_tetheroffload_client) + +allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find; + +# allow the client to pass the server already open netlink sockets +allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write }; diff --git a/prebuilts/api/28.0/public/hal_thermal.te b/prebuilts/api/28.0/public/hal_thermal.te new file mode 100644 index 000000000..b1764f114 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_thermal.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_thermal_client, hal_thermal_server) +binder_call(hal_thermal_server, hal_thermal_client) + +add_hwservice(hal_thermal_server, hal_thermal_hwservice) +allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_tv_cec.te b/prebuilts/api/28.0/public/hal_tv_cec.te new file mode 100644 index 000000000..7719cae92 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_tv_cec.te @@ -0,0 +1,6 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_tv_cec_client, hal_tv_cec_server) +binder_call(hal_tv_cec_server, hal_tv_cec_client) + +add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice) +allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_tv_input.te b/prebuilts/api/28.0/public/hal_tv_input.te new file mode 100644 index 000000000..31a006740 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_tv_input.te @@ -0,0 +1,6 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_tv_input_client, hal_tv_input_server) +binder_call(hal_tv_input_server, hal_tv_input_client) + +add_hwservice(hal_tv_input_server, hal_tv_input_hwservice) +allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_usb.te b/prebuilts/api/28.0/public/hal_usb.te new file mode 100644 index 000000000..9cfd5165d --- /dev/null +++ b/prebuilts/api/28.0/public/hal_usb.te @@ -0,0 +1,18 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_usb_client, hal_usb_server) +binder_call(hal_usb_server, hal_usb_client) + +add_hwservice(hal_usb_server, hal_usb_hwservice) +allow hal_usb_client hal_usb_hwservice:hwservice_manager find; + +allow hal_usb self:netlink_kobject_uevent_socket create; +allow hal_usb self:netlink_kobject_uevent_socket setopt; +allow hal_usb self:netlink_kobject_uevent_socket bind; +allow hal_usb self:netlink_kobject_uevent_socket read; +allow hal_usb sysfs:dir open; +allow hal_usb sysfs:dir read; +allow hal_usb sysfs:file read; +allow hal_usb sysfs:file open; +allow hal_usb sysfs:file write; +allow hal_usb sysfs:file getattr; + diff --git a/prebuilts/api/28.0/public/hal_usb_gadget.te b/prebuilts/api/28.0/public/hal_usb_gadget.te new file mode 100644 index 000000000..16f4f0821 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_usb_gadget.te @@ -0,0 +1,14 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_usb_gadget_client, hal_usb_gadget_server) +binder_call(hal_usb_gadget_server, hal_usb_gadget_client) + +add_hwservice(hal_usb_gadget_server, hal_usb_gadget_hwservice) +allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find; + +# Configuring usb gadget functions +allow hal_usb_gadget_server configfs:lnk_file { read create unlink}; +allow hal_usb_gadget_server configfs:dir rw_dir_perms; +allow hal_usb_gadget_server configfs:file rw_file_perms; +allow hal_usb_gadget_server functionfs:dir { read search }; +allow hal_usb_gadget_server functionfs:file read; + diff --git a/prebuilts/api/28.0/public/hal_vibrator.te b/prebuilts/api/28.0/public/hal_vibrator.te new file mode 100644 index 000000000..9ce34cac2 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_vibrator.te @@ -0,0 +1,9 @@ +# HwBinder IPC from client to server +binder_call(hal_vibrator_client, hal_vibrator_server) + +add_hwservice(hal_vibrator_server, hal_vibrator_hwservice) +allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find; + +# vibrator sysfs rw access +allow hal_vibrator sysfs_vibrator:file rw_file_perms; +allow hal_vibrator sysfs_vibrator:dir search; diff --git a/prebuilts/api/28.0/public/hal_vr.te b/prebuilts/api/28.0/public/hal_vr.te new file mode 100644 index 000000000..3cb392d14 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_vr.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_vr_client, hal_vr_server) +binder_call(hal_vr_server, hal_vr_client) + +add_hwservice(hal_vr_server, hal_vr_hwservice) +allow hal_vr_client hal_vr_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_weaver.te b/prebuilts/api/28.0/public/hal_weaver.te new file mode 100644 index 000000000..b80ba292c --- /dev/null +++ b/prebuilts/api/28.0/public/hal_weaver.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server +binder_call(hal_weaver_client, hal_weaver_server) + +add_hwservice(hal_weaver_server, hal_weaver_hwservice) +allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find; diff --git a/prebuilts/api/28.0/public/hal_wifi.te b/prebuilts/api/28.0/public/hal_wifi.te new file mode 100644 index 000000000..7cea7c740 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_wifi.te @@ -0,0 +1,32 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(hal_wifi_client, hal_wifi_server) +binder_call(hal_wifi_server, hal_wifi_client) + +add_hwservice(hal_wifi_server, hal_wifi_hwservice) +allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find; + +r_dir_file(hal_wifi, proc_net) +r_dir_file(hal_wifi, sysfs_type) + +set_prop(hal_wifi, exported_wifi_prop) +set_prop(hal_wifi, wifi_prop) + +# allow hal wifi set interfaces up and down +allow hal_wifi self:udp_socket create_socket_perms; +allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR }; + +allow hal_wifi self:global_capability_class_set { net_admin net_raw }; +# allow hal_wifi to speak to nl80211 in the kernel +allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl; +# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets +allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl; +# hal_wifi writes firmware paths to this file. +allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms }; +# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded +allow hal_wifi proc_modules:file { getattr open read }; + +# allow hal_wifi to write into /data/vendor/tombstones/wifi +userdebug_or_eng(` + allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms; + allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms; +') diff --git a/prebuilts/api/28.0/public/hal_wifi_hostapd.te b/prebuilts/api/28.0/public/hal_wifi_hostapd.te new file mode 100644 index 000000000..03a554674 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_wifi_hostapd.te @@ -0,0 +1,28 @@ +# HwBinder IPC from client to server +binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server) +binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client) + +add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice) +allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find; + +allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw }; + +allow hal_wifi_hostapd_server sysfs_net:dir search; + +# Allow hal_wifi_hostapd to access /proc/net/psched +allow hal_wifi_hostapd_server proc_net:file { getattr open read }; + +# Various socket permissions. +allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls; +allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl; +allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl; +allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl; +allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write; + +### +### neverallow rules +### + +# hal_wifi_hostapd should not trust any data from sdcards +neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr; +neverallow hal_wifi_hostapd_server sdcard_type:file *; diff --git a/prebuilts/api/28.0/public/hal_wifi_offload.te b/prebuilts/api/28.0/public/hal_wifi_offload.te new file mode 100644 index 000000000..dc0cf5a73 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_wifi_offload.te @@ -0,0 +1,9 @@ +## HwBinder IPC from client to server, and callbacks +binder_call(hal_wifi_offload_client, hal_wifi_offload_server) +binder_call(hal_wifi_offload_server, hal_wifi_offload_client) + +add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice) +allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find; + +r_dir_file(hal_wifi_offload, proc_net) +r_dir_file(hal_wifi_offload, sysfs_type) diff --git a/prebuilts/api/28.0/public/hal_wifi_supplicant.te b/prebuilts/api/28.0/public/hal_wifi_supplicant.te new file mode 100644 index 000000000..6bf0d3265 --- /dev/null +++ b/prebuilts/api/28.0/public/hal_wifi_supplicant.te @@ -0,0 +1,29 @@ +# HwBinder IPC from client to server +binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server) +binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client) + +add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice) +allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find; + +# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls. +allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls; + +r_dir_file(hal_wifi_supplicant, sysfs_type) +r_dir_file(hal_wifi_supplicant, proc_net) + +allow hal_wifi_supplicant kernel:system module_request; +allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw }; +allow hal_wifi_supplicant cgroup:dir create_dir_perms; +allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write; +allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl; +allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl; +allow hal_wifi_supplicant self:packet_socket create_socket_perms; +allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls }; + +### +### neverallow rules +### + +# wpa_supplicant should not trust any data from sdcards +neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr; +neverallow hal_wifi_supplicant_server sdcard_type:file *; diff --git a/prebuilts/api/28.0/public/healthd.te b/prebuilts/api/28.0/public/healthd.te new file mode 100644 index 000000000..8a1d3ec29 --- /dev/null +++ b/prebuilts/api/28.0/public/healthd.te @@ -0,0 +1,58 @@ +# healthd - battery/charger monitoring service daemon +type healthd, domain; +type healthd_exec, exec_type, file_type; + +# Write to /dev/kmsg +allow healthd kmsg_device:chr_file rw_file_perms; + +# Read access to pseudo filesystems. +allow healthd sysfs_type:dir search; +r_dir_file(healthd, rootfs) +r_dir_file(healthd, cgroup) + +# Read access to system files for passthrough HALs in +# /{system,vendor,odm}/lib[64]/hw/ +r_dir_file(healthd, system_file) + +allow healthd self:global_capability_class_set { sys_tty_config }; +allow healthd self:global_capability_class_set sys_boot; + +allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +wakelock_use(healthd) + +hal_client_domain(healthd, hal_health) + +# Read/write to /sys/power/state +allow healthd sysfs_power:file rw_file_perms; + +# TODO: added to match above sysfs rule. Remove me? +allow healthd sysfs_usb:file write; + +r_dir_file(healthd, sysfs_batteryinfo) + +### +### healthd: charger mode +### + +# Read /sys/fs/pstore/console-ramoops +# Don't worry about overly broad permissions for now, as there's +# only one file in /sys/fs/pstore +allow healthd pstorefs:dir r_dir_perms; +allow healthd pstorefs:file r_file_perms; + +allow healthd graphics_device:dir r_dir_perms; +allow healthd graphics_device:chr_file rw_file_perms; +allow healthd input_device:dir r_dir_perms; +allow healthd input_device:chr_file r_file_perms; +allow healthd tty_device:chr_file rw_file_perms; +allow healthd ashmem_device:chr_file execute; +allow healthd self:process execmem; +allow healthd proc_sysrq:file rw_file_perms; + +# Healthd needs to tell init to continue the boot +# process when running in charger mode. +set_prop(healthd, system_prop) +set_prop(healthd, exported_system_prop) +set_prop(healthd, exported2_system_prop) +set_prop(healthd, exported3_system_prop) diff --git a/prebuilts/api/28.0/public/hwservice.te b/prebuilts/api/28.0/public/hwservice.te new file mode 100644 index 000000000..ca2025870 --- /dev/null +++ b/prebuilts/api/28.0/public/hwservice.te @@ -0,0 +1,59 @@ +type default_android_hwservice, hwservice_manager_type; +type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice; +type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice; +type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice; +type hal_audio_hwservice, hwservice_manager_type; +type hal_authsecret_hwservice, hwservice_manager_type; +type hal_bluetooth_hwservice, hwservice_manager_type; +type hal_bootctl_hwservice, hwservice_manager_type; +type hal_broadcastradio_hwservice, hwservice_manager_type; +type hal_camera_hwservice, hwservice_manager_type; +type hal_codec2_hwservice, hwservice_manager_type; +type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type; +type hal_confirmationui_hwservice, hwservice_manager_type; +type hal_contexthub_hwservice, hwservice_manager_type; +type hal_drm_hwservice, hwservice_manager_type; +type hal_cas_hwservice, hwservice_manager_type; +type hal_dumpstate_hwservice, hwservice_manager_type; +type hal_fingerprint_hwservice, hwservice_manager_type; +type hal_gatekeeper_hwservice, hwservice_manager_type; +type hal_gnss_hwservice, hwservice_manager_type; +type hal_graphics_allocator_hwservice, hwservice_manager_type; +type hal_graphics_composer_hwservice, hwservice_manager_type; +type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice; +type hal_health_hwservice, hwservice_manager_type; +type hal_ir_hwservice, hwservice_manager_type; +type hal_keymaster_hwservice, hwservice_manager_type; +type hal_light_hwservice, hwservice_manager_type; +type hal_lowpan_hwservice, hwservice_manager_type; +type hal_memtrack_hwservice, hwservice_manager_type; +type hal_neuralnetworks_hwservice, hwservice_manager_type; +type hal_nfc_hwservice, hwservice_manager_type; +type hal_oemlock_hwservice, hwservice_manager_type; +type hal_omx_hwservice, hwservice_manager_type; +type hal_power_hwservice, hwservice_manager_type; +type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice; +type hal_secure_element_hwservice, hwservice_manager_type; +type hal_sensors_hwservice, hwservice_manager_type; +type hal_telephony_hwservice, hwservice_manager_type; +type hal_tetheroffload_hwservice, hwservice_manager_type; +type hal_thermal_hwservice, hwservice_manager_type; +type hal_tv_cec_hwservice, hwservice_manager_type; +type hal_tv_input_hwservice, hwservice_manager_type; +type hal_usb_hwservice, hwservice_manager_type; +type hal_usb_gadget_hwservice, hwservice_manager_type; +type hal_vibrator_hwservice, hwservice_manager_type; +type hal_vr_hwservice, hwservice_manager_type; +type hal_weaver_hwservice, hwservice_manager_type; +type hal_wifi_hwservice, hwservice_manager_type; +type hal_wifi_hostapd_hwservice, hwservice_manager_type; +type hal_wifi_offload_hwservice, hwservice_manager_type; +type hal_wifi_supplicant_hwservice, hwservice_manager_type; +type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice; +type hidl_base_hwservice, hwservice_manager_type; +type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice; +type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice; +type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice; +type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice; +type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice; +type thermalcallback_hwservice, hwservice_manager_type; diff --git a/prebuilts/api/28.0/public/hwservicemanager.te b/prebuilts/api/28.0/public/hwservicemanager.te new file mode 100644 index 000000000..1ffd2a67e --- /dev/null +++ b/prebuilts/api/28.0/public/hwservicemanager.te @@ -0,0 +1,22 @@ +# hwservicemanager - the Binder context manager for HAL services +type hwservicemanager, domain, mlstrustedsubject; +type hwservicemanager_exec, exec_type, file_type; + +# Note that we do not use the binder_* macros here. +# hwservicemanager provides name service (aka context manager) +# for hwbinder. +# Additionally, it initiates binder IPC calls to +# clients who request service notifications. The permission +# to do this is granted in the hwbinder_use macro. +allow hwservicemanager self:binder set_context_mgr; + +set_prop(hwservicemanager, hwservicemanager_prop) + +# Scan through /system/lib64/hw looking for installed HALs +allow hwservicemanager system_file:dir r_dir_perms; + +# Read hwservice_contexts +allow hwservicemanager hwservice_contexts_file:file r_file_perms; + +# Check SELinux permissions. +selinux_check_access(hwservicemanager) diff --git a/prebuilts/api/28.0/public/idmap.te b/prebuilts/api/28.0/public/idmap.te new file mode 100644 index 000000000..3f336a32d --- /dev/null +++ b/prebuilts/api/28.0/public/idmap.te @@ -0,0 +1,20 @@ +# idmap, when executed by installd +type idmap, domain; +type idmap_exec, exec_type, file_type; + +# Use open file to /data/resource-cache file inherited from installd. +allow idmap installd:fd use; +allow idmap resourcecache_data_file:file { getattr read write }; + +# Ignore reading /proc//maps after a fork. +dontaudit idmap installd:file read; + +# Open and read from target and overlay apk files passed by argument. +allow idmap apk_data_file:file r_file_perms; +allow idmap apk_data_file:dir search; + +# Allow apps access to /vendor/app +r_dir_file(idmap, vendor_app_file) + +# Allow apps access to /vendor/overlay +r_dir_file(idmap, vendor_overlay_file) diff --git a/prebuilts/api/28.0/public/incident.te b/prebuilts/api/28.0/public/incident.te new file mode 100644 index 000000000..ce57bf650 --- /dev/null +++ b/prebuilts/api/28.0/public/incident.te @@ -0,0 +1,8 @@ +# The incident command is used to call into the incidentd service to +# take an incident report (binary, shared bugreport), download incident +# reports that have already been taken, and monitor for new ones. +# It doesn't do anything else. + +# incident +type incident, domain; + diff --git a/prebuilts/api/28.0/public/incident_helper.te b/prebuilts/api/28.0/public/incident_helper.te new file mode 100644 index 000000000..bca101869 --- /dev/null +++ b/prebuilts/api/28.0/public/incident_helper.te @@ -0,0 +1,5 @@ +# The incident_helper is called by incidentd and +# can only read/write data from/to incidentd + +# incident_helper +type incident_helper, domain; diff --git a/prebuilts/api/28.0/public/incidentd.te b/prebuilts/api/28.0/public/incidentd.te new file mode 100644 index 000000000..b03249c88 --- /dev/null +++ b/prebuilts/api/28.0/public/incidentd.te @@ -0,0 +1,3 @@ +# incidentd +type incidentd, domain; + diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te new file mode 100644 index 000000000..c34e02842 --- /dev/null +++ b/prebuilts/api/28.0/public/init.te @@ -0,0 +1,502 @@ +# init is its own domain. +type init, domain, mlstrustedsubject; + +# The init domain is entered by execing init. +type init_exec, exec_type, file_type; + +# /dev/__null__ node created by init. +allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; + +# +# init direct restorecon calls. +# +# /dev/kmsg +allow init tmpfs:chr_file relabelfrom; +allow init kmsg_device:chr_file { write relabelto }; +# /dev/kmsg_debug +userdebug_or_eng(` + allow init kmsg_debug_device:chr_file { write relabelto }; +') +# /dev/__properties__ +allow init properties_device:dir relabelto; +allow init properties_serial:file { write relabelto }; +allow init property_type:file { create_file_perms relabelto }; +# /dev/__properties__/property_info +allow init properties_device:file create_file_perms; +allow init property_info:file relabelto; +# /dev/event-log-tags +allow init device:file relabelfrom; +allow init runtime_event_log_tags_file:file { open write setattr relabelto create }; +# /dev/socket +allow init { device socket_device }:dir relabelto; +# /dev/random, /dev/urandom +allow init random_device:chr_file relabelto; +# /dev/device-mapper, /dev/block(/.*)? +allow init tmpfs:{ chr_file blk_file } relabelfrom; +allow init tmpfs:blk_file getattr; +allow init block_device:{ dir blk_file lnk_file } relabelto; +allow init dm_device:{ chr_file blk_file } relabelto; +allow init kernel:fd use; +# restorecon for early mount device symlinks +allow init tmpfs:lnk_file { getattr read relabelfrom }; +allow init { + misc_block_device + recovery_block_device + system_block_device +}:{ blk_file lnk_file } relabelto; + +# setrlimit +allow init self:global_capability_class_set sys_resource; + +# Remove /dev/.booting, created before initial policy load or restorecon /dev. +allow init tmpfs:file unlink; + +# Access pty created for fsck. +allow init devpts:chr_file { read write open }; + +# Create /dev/fscklogs files. +allow init fscklogs:file create_file_perms; + +# Access /dev/__null__ node created prior to initial policy load. +allow init tmpfs:chr_file write; + +# Access /dev/console. +allow init console_device:chr_file rw_file_perms; + +# Access /dev/tty0. +allow init tty_device:chr_file rw_file_perms; + +# Call mount(2). +allow init self:global_capability_class_set sys_admin; + +# Create and mount on directories in /. +allow init rootfs:dir create_dir_perms; +allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton; +allow init cgroup_bpf:dir { create mounton }; + +# Mount bpf fs on sys/fs/bpf +allow init fs_bpf:dir mounton; + +# Mount on /dev/usb-ffs/adb. +allow init device:dir mounton; + +# Create and remove symlinks in /. +allow init rootfs:lnk_file { create unlink }; + +# Mount debugfs on /sys/kernel/debug. +allow init sysfs:dir mounton; + +# Create cgroups mount points in tmpfs and mount cgroups on them. +allow init tmpfs:dir create_dir_perms; +allow init tmpfs:dir mounton; +allow init cgroup:dir create_dir_perms; +r_dir_file(init, cgroup) +allow init cpuctl_device:dir { create mounton }; + +# /config +allow init configfs:dir mounton; +allow init configfs:dir create_dir_perms; +allow init configfs:{ file lnk_file } create_file_perms; + +# Use tmpfs as /data, used for booting when /data is encrypted +allow init tmpfs:dir relabelfrom; + +# Create directories under /dev/cpuctl after chowning it to system. +allow init self:global_capability_class_set dac_override; + +# Set system clock. +allow init self:global_capability_class_set sys_time; + +allow init self:global_capability_class_set { sys_rawio mknod }; + +# Mounting filesystems from block devices. +allow init dev_type:blk_file r_file_perms; + +# Mounting filesystems. +# Only allow relabelto for types used in context= mount options, +# which should all be assigned the contextmount_type attribute. +# This can be done in device-specific policy via type or typeattribute +# declarations. +allow init fs_type:filesystem ~relabelto; +allow init unlabeled:filesystem ~relabelto; +allow init contextmount_type:filesystem relabelto; + +# Allow read-only access to context= mounted filesystems. +allow init contextmount_type:dir r_dir_perms; +allow init contextmount_type:notdevfile_class_set r_file_perms; + +# restorecon /adb_keys or any other rootfs files and directories to a more +# specific type. +allow init rootfs:{ dir file } relabelfrom; + +# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. +# chown/chmod require open+read+setattr required for open()+fchown/fchmod(). +# system/core/init.rc requires at least cache_file and data_file_type. +# init..rc files often include device-specific types, so +# we just allow all file types except /system files here. +allow init self:global_capability_class_set { chown fowner fsetid }; + +allow init { + file_type + -app_data_file + -exec_type + -misc_logd_file + -nativetest_data_file + -system_app_data_file + -system_file + -vendor_file_type +}:dir { create search getattr open read setattr ioctl }; + +allow init { + file_type + -app_data_file + -exec_type + -keystore_data_file + -misc_logd_file + -nativetest_data_file + -shell_data_file + -system_app_data_file + -system_file + -vendor_file_type + -vold_data_file +}:dir { write add_name remove_name rmdir relabelfrom }; + +allow init { + file_type + -app_data_file + -runtime_event_log_tags_file + -exec_type + -keystore_data_file + -misc_logd_file + -nativetest_data_file + -shell_data_file + -system_app_data_file + -system_file + -vendor_file_type + -vold_data_file +}:file { create getattr open read write setattr relabelfrom unlink }; + +allow init { + file_type + -app_data_file + -exec_type + -keystore_data_file + -misc_logd_file + -nativetest_data_file + -shell_data_file + -system_app_data_file + -system_file + -vendor_file_type + -vold_data_file +}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; + +allow init { + file_type + -app_data_file + -exec_type + -keystore_data_file + -misc_logd_file + -nativetest_data_file + -shell_data_file + -system_app_data_file + -system_file + -vendor_file_type + -vold_data_file +}:lnk_file { create getattr setattr relabelfrom unlink }; + +allow init cache_file:lnk_file r_file_perms; + +allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto; +allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom }; +allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr }; +allow init dev_type:dir create_dir_perms; +allow init dev_type:lnk_file create; + +# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on +allow init debugfs_tracing:file w_file_perms; + +# Setup and control wifi event tracing (see wifi-events.rc) +allow init debugfs_tracing_instances:dir create_dir_perms; +allow init debugfs_tracing_instances:file w_file_perms; +allow init debugfs_wifi_tracing:file w_file_perms; + +# chown/chmod on pseudo files. +allow init { + fs_type + -contextmount_type + -proc + -sdcard_type + -sysfs_type + -rootfs +}:file { open read setattr }; +allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; + +# init should not be able to read or open generic devices +# TODO: auditing to see if this can be deleted entirely +allow init { + dev_type + -kmem_device + -port_device + -device + -vndbinder_device + }:chr_file { read open }; +auditallow init { + dev_type + -alarm_device + -ashmem_device + -binder_device + -console_device + -device + -devpts + -dm_device + -hwbinder_device + -hw_random_device + -keychord_device + -kmem_device + -kmsg_device + -null_device + -owntty_device + -port_device + -ptmx_device + -random_device + -zero_device +}:chr_file { read open }; + +# chown/chmod on devices. +allow init { dev_type -kmem_device -port_device }:chr_file setattr; + +# Unlabeled file access for upgrades from 4.2. +allow init unlabeled:dir { create_dir_perms relabelfrom }; +allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; + +# Any operation that can modify the kernel ring buffer, e.g. clear +# or a read that consumes the messages that were read. +allow init kernel:system syslog_mod; +allow init self:global_capability2_class_set syslog; + +# init access to /proc. +r_dir_file(init, proc_net) + +allow init { + proc_cmdline + proc_diskstats + proc_kmsg # Open /proc/kmsg for logd service. + proc_meminfo + proc_stat # Read /proc/stat for bootchart. + proc_uptime + proc_version +}:file r_file_perms; + +allow init { + proc_abi + proc_dirty + proc_hostname + proc_hung_task + proc_extra_free_kbytes + proc_net + proc_max_map_count + proc_min_free_order_shift + proc_overcommit_memory + proc_panic + proc_page_cluster + proc_perf + proc_sched + proc_sysrq +}:file w_file_perms; + +allow init { + proc_security +}:file rw_file_perms; + +# init access to /sys files. +allow init { + sysfs_android_usb + sysfs_leds + sysfs_power +}:file w_file_perms; + +allow init { + sysfs_dt_firmware_android +}:file r_file_perms; + +allow init { + sysfs_zram +}:file rw_file_perms; + +# Allow init to write to vibrator/trigger +allow init sysfs_vibrator:file w_file_perms; + +# init chmod/chown access to /sys files. +allow init { + sysfs_android_usb + sysfs_devices_system_cpu + sysfs_ipv4 + sysfs_leds + sysfs_lowmemorykiller + sysfs_power + sysfs_vibrator + sysfs_wake_lock +}:file setattr; + +# Set usermodehelpers. +allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms; + +allow init self:global_capability_class_set net_admin; + +# Reboot. +allow init self:global_capability_class_set sys_boot; + +# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". +# Init will also walk through the directory as part of a recursive restorecon. +allow init misc_logd_file:dir { add_name open create read getattr setattr search write }; +allow init misc_logd_file:file { open create getattr setattr write }; + +# Support "adb shell stop" +allow init self:global_capability_class_set kill; +allow init domain:process { getpgid sigkill signal }; + +# Init creates keystore's directory on boot, and walks through +# the directory as part of a recursive restorecon. +allow init keystore_data_file:dir { open create read getattr setattr search }; +allow init keystore_data_file:file { getattr }; + +# Init creates vold's directory on boot, and walks through +# the directory as part of a recursive restorecon. +allow init vold_data_file:dir { open create read getattr setattr search }; +allow init vold_data_file:file { getattr }; + +# Init creates /data/local/tmp at boot +allow init shell_data_file:dir { open create read getattr setattr search }; +allow init shell_data_file:file { getattr }; + +# Set UID, GID, and adjust capability bounding set for services. +allow init self:global_capability_class_set { setuid setgid setpcap }; + +# For bootchart to read the /proc/$pid/cmdline file of each process, +# we need to have following line to allow init to have access +# to different domains. +r_dir_file(init, domain) + +# Use setexeccon(), setfscreatecon(), and setsockcreatecon(). +# setexec is for services with seclabel options. +# setfscreate is for labeling directories and socket files. +# setsockcreate is for labeling local/unix domain sockets. +allow init self:process { setexec setfscreate setsockcreate }; + +# Get file context +allow init file_contexts_file:file r_file_perms; + +# sepolicy access +allow init sepolicy_file:file r_file_perms; + +# Perform SELinux access checks on setting properties. +selinux_check_access(init) + +# Ask the kernel for the new context on services to label their sockets. +allow init kernel:security compute_create; + +# Create sockets for the services. +allow init domain:unix_stream_socket { create bind setopt }; +allow init domain:unix_dgram_socket { create bind setopt }; + +# Create /data/property and files within it. +allow init property_data_file:dir create_dir_perms; +allow init property_data_file:file create_file_perms; + +# Set any property. +allow init property_type:property_service set; + +# Send an SELinux userspace denial to the kernel audit subsystem, +# so it can be picked up and processed by logd. These denials are +# generated when an attempt to set a property is denied by policy. +allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay }; +allow init self:global_capability_class_set audit_write; + +# Run "ifup lo" to bring up the localhost interface +allow init self:udp_socket { create ioctl }; +# in addition to unpriv ioctls granted to all domains, init also needs: +allowxperm init self:udp_socket ioctl SIOCSIFFLAGS; +allow init self:global_capability_class_set net_raw; + +# This line seems suspect, as it should not really need to +# set scheduling parameters for a kernel domain task. +allow init kernel:process setsched; + +# swapon() needs write access to swap device +# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all +allow init swap_block_device:blk_file rw_file_perms; + +# Read from /dev/hw_random if present. +# system/core/init/init.c - mix_hwrng_into_linux_rng_action +allow init hw_random_device:chr_file r_file_perms; + +# Create and access /dev files without a specific type, +# e.g. /dev/.coldboot_done, /dev/.booting +# TODO: Move these files into their own type unless they are +# only ever accessed by init. +allow init device:file create_file_perms; + +# keychord configuration +allow init self:global_capability_class_set sys_tty_config; +allow init keychord_device:chr_file rw_file_perms; + +# Access device mapper for setting up dm-verity +allow init dm_device:chr_file rw_file_perms; +allow init dm_device:blk_file rw_file_perms; + +# Access metadata block device for storing dm-verity state +allow init metadata_block_device:blk_file rw_file_perms; + +# Read /sys/fs/pstore/console-ramoops to detect restarts caused +# by dm-verity detecting corrupted blocks +allow init pstorefs:dir search; +allow init pstorefs:file r_file_perms; +allow init kernel:system syslog_read; + +# linux keyring configuration +allow init init:key { write search setattr }; + +# Allow init to create /data/unencrypted +allow init unencrypted_data_file:dir create_dir_perms; + +# Allow init to write to /proc/sys/vm/overcommit_memory +allow init proc_overcommit_memory:file { write }; + +# Raw writes to misc block device +allow init misc_block_device:blk_file w_file_perms; + +r_dir_file(init, system_file) +r_dir_file(init, vendor_file_type) + +allow init system_data_file:file { getattr read }; +allow init system_data_file:lnk_file r_file_perms; + +# For init to be able to run shell scripts from vendor +allow init vendor_shell_exec:file execute; + +### +### neverallow rules +### + +# The init domain is only entered via an exec based transition from the +# kernel domain, never via setcon(). +neverallow domain init:process dyntransition; +neverallow { domain -kernel } init:process transition; +neverallow init { file_type fs_type -init_exec }:file entrypoint; + +# Never read/follow symlinks created by shell or untrusted apps. +neverallow init shell_data_file:lnk_file read; +neverallow init app_data_file:lnk_file read; + +# init should never execute a program without changing to another domain. +neverallow init { file_type fs_type }:file execute_no_trans; + +# Init never adds or uses services via service_manager. +neverallow init service_manager_type:service_manager { add find }; +neverallow init servicemanager:service_manager list; + +# Init should not be creating subdirectories in /data/local/tmp +neverallow init shell_data_file:dir { write add_name remove_name }; + +# Init should not access sysfs node that are not explicitly labeled. +neverallow init sysfs:file { open read write }; diff --git a/prebuilts/api/28.0/public/inputflinger.te b/prebuilts/api/28.0/public/inputflinger.te new file mode 100644 index 000000000..e5f12a0c1 --- /dev/null +++ b/prebuilts/api/28.0/public/inputflinger.te @@ -0,0 +1,16 @@ +# inputflinger +type inputflinger, domain; +type inputflinger_exec, exec_type, file_type; + +binder_use(inputflinger) +binder_service(inputflinger) + +binder_call(inputflinger, system_server) + +wakelock_use(inputflinger) + +add_service(inputflinger, inputflinger_service) +allow inputflinger input_device:dir r_dir_perms; +allow inputflinger input_device:chr_file rw_file_perms; + +r_dir_file(inputflinger, cgroup) diff --git a/prebuilts/api/28.0/public/install_recovery.te b/prebuilts/api/28.0/public/install_recovery.te new file mode 100644 index 000000000..ab688386e --- /dev/null +++ b/prebuilts/api/28.0/public/install_recovery.te @@ -0,0 +1,27 @@ +# service flash_recovery in init.rc +type install_recovery, domain; +type install_recovery_exec, exec_type, file_type; + +allow install_recovery self:global_capability_class_set dac_override; + +# /system/bin/install-recovery.sh is a shell script. +# Needs to execute /system/bin/sh +allow install_recovery shell_exec:file rx_file_perms; + +# Execute /system/bin/applypatch +allow install_recovery system_file:file rx_file_perms; +not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;') + +allow install_recovery toolbox_exec:file rx_file_perms; + +# Update the recovery block device based off a diff of the boot block device +allow install_recovery block_device:dir search; +allow install_recovery boot_block_device:blk_file r_file_perms; +allow install_recovery recovery_block_device:blk_file rw_file_perms; + +# Create and delete /cache/saved.file +allow install_recovery cache_file:dir rw_dir_perms; +allow install_recovery cache_file:file create_file_perms; + +# Write to /proc/sys/vm/drop_caches +allow install_recovery proc_drop_caches:file w_file_perms; diff --git a/prebuilts/api/28.0/public/installd.te b/prebuilts/api/28.0/public/installd.te new file mode 100644 index 000000000..6aba962dd --- /dev/null +++ b/prebuilts/api/28.0/public/installd.te @@ -0,0 +1,160 @@ +# installer daemon +type installd, domain; +type installd_exec, exec_type, file_type; +typeattribute installd mlstrustedsubject; +allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin }; + +# Allow labeling of files under /data/app/com.example/oat/ +allow installd dalvikcache_data_file:dir relabelto; +allow installd dalvikcache_data_file:file { relabelto link }; + +# Allow movement of APK files between volumes +allow installd apk_data_file:dir { create_dir_perms relabelfrom }; +allow installd apk_data_file:file { create_file_perms relabelfrom link }; +allow installd apk_data_file:lnk_file { create r_file_perms unlink }; + +allow installd asec_apk_file:file r_file_perms; +allow installd apk_tmp_file:file { r_file_perms unlink }; +allow installd apk_tmp_file:dir { relabelfrom create_dir_perms }; +allow installd oemfs:dir r_dir_perms; +allow installd oemfs:file r_file_perms; +allow installd cgroup:dir create_dir_perms; +allow installd mnt_expand_file:dir { search getattr }; +# Check validity of SELinux context before use. +selinux_check_context(installd) + +r_dir_file(installd, rootfs) +# Scan through APKs in /system/app and /system/priv-app +r_dir_file(installd, system_file) +# Scan through APKs in /vendor/app +r_dir_file(installd, vendor_app_file) +# Scan through Runtime Resource Overlay APKs in /vendor/overlay +r_dir_file(installd, vendor_overlay_file) +# Get file context +allow installd file_contexts_file:file r_file_perms; +# Get seapp_context +allow installd seapp_contexts_file:file r_file_perms; + +# Search /data/app-asec and stat files in it. +allow installd asec_image_file:dir search; +allow installd asec_image_file:file getattr; + +# Create /data/user and /data/user/0 if necessary. +# Also required to initially create /data/data subdirectories +# and lib symlinks before the setfilecon call. May want to +# move symlink creation after setfilecon in installd. +allow installd system_data_file:dir create_dir_perms; +# Also, allow read for lnk_file so that we can process /data/user/0 links when +# optimizing application code. +allow installd system_data_file:lnk_file { create getattr read setattr unlink }; + +# Upgrade /data/media for multi-user if necessary. +allow installd media_rw_data_file:dir create_dir_perms; +allow installd media_rw_data_file:file { getattr unlink }; +# restorecon new /data/media directory. +allow installd system_data_file:dir relabelfrom; +allow installd media_rw_data_file:dir relabelto; + +# Delete /data/media files through sdcardfs, instead of going behind its back +allow installd tmpfs:dir r_dir_perms; +allow installd storage_file:dir search; +allow installd sdcardfs:dir { search open read write remove_name getattr rmdir }; +allow installd sdcardfs:file { getattr unlink }; + +# Upgrade /data/misc/keychain for multi-user if necessary. +allow installd misc_user_data_file:dir create_dir_perms; +allow installd misc_user_data_file:file create_file_perms; +allow installd keychain_data_file:dir create_dir_perms; +allow installd keychain_data_file:file {r_file_perms unlink}; + +# Create /data/.layout_version.* file +allow installd install_data_file:file create_file_perms; + +# Create files under /data/dalvik-cache. +allow installd dalvikcache_data_file:dir create_dir_perms; +allow installd dalvikcache_data_file:file create_file_perms; +allow installd dalvikcache_data_file:lnk_file getattr; + +# Create files under /data/resource-cache. +allow installd resourcecache_data_file:dir rw_dir_perms; +allow installd resourcecache_data_file:file create_file_perms; + +# Upgrade from unlabeled userdata. +# Just need enough to remove and/or relabel it. +allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir }; +allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr }; +# Read pkg.apk file for input during dexopt. +allow installd unlabeled:file r_file_perms; + +# Upgrade from before system_app_data_file was used for system UID apps. +# Just need enough to relabel it and to unlink removed package files. +# Directory access covered by earlier rule above. +allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink }; + +# Manage /data/data subdirectories, including initially labeling them +# upon creation via setfilecon or running restorecon_recursive, +# setting owner/mode, creating symlinks within them, and deleting them +# upon package uninstall. +# Types extracted from seapp_contexts type= fields. +allow installd { + system_app_data_file + bluetooth_data_file + nfc_data_file + radio_data_file + shell_data_file + app_data_file +}:dir { create_dir_perms relabelfrom relabelto }; + +allow installd { + system_app_data_file + bluetooth_data_file + nfc_data_file + radio_data_file + shell_data_file + app_data_file +}:notdevfile_class_set { create_file_perms relabelfrom relabelto }; + +# Similar for the files under /data/misc/profiles/ +allow installd user_profile_data_file:dir create_dir_perms; +allow installd user_profile_data_file:file create_file_perms; +allow installd user_profile_data_file:dir rmdir; +allow installd user_profile_data_file:file unlink; + +# Files created/updated by profman dumps. +allow installd profman_dump_data_file:dir { search add_name write }; +allow installd profman_dump_data_file:file { create setattr open write }; + +# Create and use pty created by android_fork_execvp(). +allow installd devpts:chr_file rw_file_perms; + +# execute toybox for app relocation +allow installd toolbox_exec:file rx_file_perms; + +# Allow installd to publish a binder service and make binder calls. +binder_use(installd) +add_service(installd, installd_service) +allow installd dumpstate:fifo_file { getattr write }; + +# Allow installd to call into the system server so it can check permissions. +binder_call(installd, system_server) +allow installd permission_service:service_manager find; + +# Allow installd to read and write quotas +allow installd block_device:dir { search }; +allow installd labeledfs:filesystem { quotaget quotamod }; + +# Allow installd to delete from /data/preloads when trimming data caches +# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server +allow installd preloads_data_file:file { r_file_perms unlink }; +allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir }; +allow installd preloads_media_file:file { r_file_perms unlink }; +allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir }; + +### +### Neverallow rules +### + +# only system_server, installd and dumpstate may interact with installd over binder +neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find; +neverallow { domain -system_server -dumpstate } installd:binder call; +neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call; diff --git a/prebuilts/api/28.0/public/ioctl_defines b/prebuilts/api/28.0/public/ioctl_defines new file mode 100644 index 000000000..4097fb935 --- /dev/null +++ b/prebuilts/api/28.0/public/ioctl_defines @@ -0,0 +1,2694 @@ +define(`FIBMAP', `0x00000001') +define(`FIGETBSZ', `0x00000002') +define(`FDCLRPRM', `0x00000241') +define(`FDMSGON', `0x00000245') +define(`FDMSGOFF', `0x00000246') +define(`FDFMTBEG', `0x00000247') +define(`FDFMTEND', `0x00000249') +define(`FDSETEMSGTRESH', `0x0000024a') +define(`FDFLUSH', `0x0000024b') +define(`FDRESET', `0x00000254') +define(`FDWERRORCLR', `0x00000256') +define(`FDRAWCMD', `0x00000258') +define(`FDTWADDLE', `0x00000259') +define(`FDEJECT', `0x0000025a') +define(`HDIO_GETGEO', `0x00000301') +define(`HDIO_GET_UNMASKINTR', `0x00000302') +define(`HDIO_GET_MULTCOUNT', `0x00000304') +define(`HDIO_GET_QDMA', `0x00000305') +define(`HDIO_SET_XFER', `0x00000306') +define(`HDIO_OBSOLETE_IDENTITY', `0x00000307') +define(`HDIO_GET_KEEPSETTINGS', `0x00000308') +define(`HDIO_GET_32BIT', `0x00000309') +define(`HDIO_GET_NOWERR', `0x0000030a') +define(`HDIO_GET_DMA', `0x0000030b') +define(`HDIO_GET_NICE', `0x0000030c') +define(`HDIO_GET_IDENTITY', `0x0000030d') +define(`HDIO_GET_WCACHE', `0x0000030e') +define(`HDIO_GET_ACOUSTIC', `0x0000030f') +define(`HDIO_GET_ADDRESS', `0x00000310') +define(`HDIO_GET_BUSSTATE', `0x0000031a') +define(`HDIO_TRISTATE_HWIF', `0x0000031b') +define(`HDIO_DRIVE_RESET', `0x0000031c') +define(`HDIO_DRIVE_TASKFILE', `0x0000031d') +define(`HDIO_DRIVE_TASK', `0x0000031e') +define(`HDIO_DRIVE_CMD', `0x0000031f') +define(`HDIO_SET_MULTCOUNT', `0x00000321') +define(`HDIO_SET_UNMASKINTR', `0x00000322') +define(`HDIO_SET_KEEPSETTINGS', `0x00000323') +define(`HDIO_SET_32BIT', `0x00000324') +define(`HDIO_SET_NOWERR', `0x00000325') +define(`HDIO_SET_DMA', `0x00000326') +define(`HDIO_SET_PIO_MODE', `0x00000327') +define(`HDIO_SCAN_HWIF', `0x00000328') +define(`HDIO_SET_NICE', `0x00000329') +define(`HDIO_UNREGISTER_HWIF', `0x0000032a') +define(`HDIO_SET_WCACHE', `0x0000032b') +define(`HDIO_SET_ACOUSTIC', `0x0000032c') +define(`HDIO_SET_BUSSTATE', `0x0000032d') +define(`HDIO_SET_QDMA', `0x0000032e') +define(`HDIO_SET_ADDRESS', `0x0000032f') +define(`IOCTL_VMCI_VERSION', `0x0000079f') +define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0') +define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4') +define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5') +define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6') +define(`IOCTL_VMCI_VERSION2', `0x000007a7') +define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8') +define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9') +define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa') +define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab') +define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac') +define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af') +define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0') +define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1') +define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2') +define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3') +define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4') +define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8') +define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9') +define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9') +define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb') +define(`RAID_AUTORUN', `0x00000914') +define(`CLEAR_ARRAY', `0x00000920') +define(`HOT_REMOVE_DISK', `0x00000922') +define(`SET_DISK_INFO', `0x00000924') +define(`WRITE_RAID_INFO', `0x00000925') +define(`UNPROTECT_ARRAY', `0x00000926') +define(`PROTECT_ARRAY', `0x00000927') +define(`HOT_ADD_DISK', `0x00000928') +define(`SET_DISK_FAULTY', `0x00000929') +define(`HOT_GENERATE_ERROR', `0x0000092a') +define(`STOP_ARRAY', `0x00000932') +define(`STOP_ARRAY_RO', `0x00000933') +define(`RESTART_ARRAY_RW', `0x00000934') +define(`BLKROSET', `0x0000125d') +define(`BLKROGET', `0x0000125e') +define(`BLKRRPART', `0x0000125f') +define(`BLKGETSIZE', `0x00001260') +define(`BLKFLSBUF', `0x00001261') +define(`BLKRASET', `0x00001262') +define(`BLKRAGET', `0x00001263') +define(`BLKFRASET', `0x00001264') +define(`BLKFRAGET', `0x00001265') +define(`BLKSECTSET', `0x00001266') +define(`BLKSECTGET', `0x00001267') +define(`BLKSSZGET', `0x00001268') +define(`BLKPG', `0x00001269') +define(`BLKTRACESTART', `0x00001274') +define(`BLKTRACESTOP', `0x00001275') +define(`BLKTRACETEARDOWN', `0x00001276') +define(`BLKDISCARD', `0x00001277') +define(`BLKIOMIN', `0x00001278') +define(`BLKIOOPT', `0x00001279') +define(`BLKALIGNOFF', `0x0000127a') +define(`BLKPBSZGET', `0x0000127b') +define(`BLKDISCARDZEROES', `0x0000127c') +define(`BLKSECDISCARD', `0x0000127d') +define(`BLKROTATIONAL', `0x0000127e') +define(`BLKZEROOUT', `0x0000127f') +define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03') +define(`SG_SET_TIMEOUT', `0x00002201') +define(`SG_GET_TIMEOUT', `0x00002202') +define(`SG_EMULATED_HOST', `0x00002203') +define(`SG_SET_TRANSFORM', `0x00002204') +define(`SG_GET_TRANSFORM', `0x00002205') +define(`SG_GET_COMMAND_Q', `0x00002270') +define(`SG_SET_COMMAND_Q', `0x00002271') +define(`SG_GET_RESERVED_SIZE', `0x00002272') +define(`SG_SET_RESERVED_SIZE', `0x00002275') +define(`SG_GET_SCSI_ID', `0x00002276') +define(`SG_SET_FORCE_LOW_DMA', `0x00002279') +define(`SG_GET_LOW_DMA', `0x0000227a') +define(`SG_SET_FORCE_PACK_ID', `0x0000227b') +define(`SG_GET_PACK_ID', `0x0000227c') +define(`SG_GET_NUM_WAITING', `0x0000227d') +define(`SG_SET_DEBUG', `0x0000227e') +define(`SG_GET_SG_TABLESIZE', `0x0000227f') +define(`SG_GET_VERSION_NUM', `0x00002282') +define(`SG_NEXT_CMD_LEN', `0x00002283') +define(`SG_SCSI_RESET', `0x00002284') +define(`SG_IO', `0x00002285') +define(`SG_GET_REQUEST_TABLE', `0x00002286') +define(`SG_SET_KEEP_ORPHAN', `0x00002287') +define(`SG_GET_KEEP_ORPHAN', `0x00002288') +define(`SG_GET_ACCESS_COUNT', `0x00002289') +define(`FW_CDEV_IOC_GET_SPEED', `0x00002311') +define(`PERF_EVENT_IOC_ENABLE', `0x00002400') +define(`PERF_EVENT_IOC_DISABLE', `0x00002401') +define(`PERF_EVENT_IOC_REFRESH', `0x00002402') +define(`PERF_EVENT_IOC_RESET', `0x00002403') +define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405') +define(`SNAPSHOT_FREEZE', `0x00003301') +define(`SNAPSHOT_UNFREEZE', `0x00003302') +define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304') +define(`SNAPSHOT_FREE', `0x00003305') +define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309') +define(`SNAPSHOT_S2RAM', `0x0000330b') +define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f') +define(`SNAPSHOT_POWER_OFF', `0x00003310') +define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312') +define(`VFIO_GET_API_VERSION', `0x00003b64') +define(`VFIO_CHECK_EXTENSION', `0x00003b65') +define(`VFIO_SET_IOMMU', `0x00003b66') +define(`VFIO_GROUP_GET_STATUS', `0x00003b67') +define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68') +define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69') +define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a') +define(`VFIO_DEVICE_GET_INFO', `0x00003b6b') +define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c') +define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d') +define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e') +define(`VFIO_DEVICE_RESET', `0x00003b6f') +define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70') +define(`VFIO_IOMMU_GET_INFO', `0x00003b70') +define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70') +define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71') +define(`VFIO_IOMMU_MAP_DMA', `0x00003b71') +define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72') +define(`VFIO_IOMMU_ENABLE', `0x00003b73') +define(`VFIO_IOMMU_DISABLE', `0x00003b74') +define(`VFIO_EEH_PE_OP', `0x00003b79') +define(`AGPIOC_ACQUIRE', `0x00004101') +define(`APM_IOC_STANDBY', `0x00004101') +define(`AGPIOC_RELEASE', `0x00004102') +define(`APM_IOC_SUSPEND', `0x00004102') +define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a') +define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112') +define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122') +define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140') +define(`SNDRV_PCM_IOCTL_RESET', `0x00004141') +define(`SNDRV_PCM_IOCTL_START', `0x00004142') +define(`SNDRV_PCM_IOCTL_DROP', `0x00004143') +define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144') +define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147') +define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148') +define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161') +define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200') +define(`PMU_IOC_SLEEP', `0x00004200') +define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201') +define(`CCISS_REVALIDVOLS', `0x0000420a') +define(`CCISS_DEREGDISK', `0x0000420c') +define(`CCISS_REGNEWD', `0x0000420e') +define(`CCISS_RESCANDISK', `0x00004210') +define(`SNDCTL_COPR_RESET', `0x00004300') +define(`SNDRV_COMPRESS_PAUSE', `0x00004330') +define(`SNDRV_COMPRESS_RESUME', `0x00004331') +define(`SNDRV_COMPRESS_START', `0x00004332') +define(`SNDRV_COMPRESS_STOP', `0x00004333') +define(`SNDRV_COMPRESS_DRAIN', `0x00004334') +define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335') +define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336') +define(`IOCTL_EVTCHN_RESET', `0x00004505') +define(`FBIOGET_VSCREENINFO', `0x00004600') +define(`FBIOPUT_VSCREENINFO', `0x00004601') +define(`FBIOGET_FSCREENINFO', `0x00004602') +define(`FBIOGETCMAP', `0x00004604') +define(`FBIOPUTCMAP', `0x00004605') +define(`FBIOPAN_DISPLAY', `0x00004606') +define(`FBIOGET_CON2FBMAP', `0x0000460f') +define(`FBIOPUT_CON2FBMAP', `0x00004610') +define(`FBIOBLANK', `0x00004611') +define(`FBIO_ALLOC', `0x00004613') +define(`FBIO_FREE', `0x00004614') +define(`FBIOGET_GLYPH', `0x00004615') +define(`FBIOGET_HWCINFO', `0x00004616') +define(`FBIOPUT_MODEINFO', `0x00004617') +define(`FBIOGET_DISPINFO', `0x00004618') +define(`FBIO_WAITEVENT', `0x00004688') +define(`GSMIOC_DISABLE_NET', `0x00004703') +define(`HIDIOCAPPLICATION', `0x00004802') +define(`HIDIOCINITREPORT', `0x00004805') +define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812') +define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814') +define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815') +define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816') +define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821') +define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840') +define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880') +define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881') +define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882') +define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882') +define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883') +define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9') +define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa') +define(`IIOCNETAIF', `0x00004901') +define(`IIOCNETDIF', `0x00004902') +define(`IIOCNETSCF', `0x00004903') +define(`IIOCNETGCF', `0x00004904') +define(`IIOCNETANM', `0x00004905') +define(`IIOCNETDNM', `0x00004906') +define(`IIOCNETGNM', `0x00004907') +define(`IIOCGETSET', `0x00004908') +define(`IIOCSETSET', `0x00004909') +define(`IIOCSETVER', `0x0000490a') +define(`IIOCNETHUP', `0x0000490b') +define(`IIOCSETGST', `0x0000490c') +define(`IIOCSETBRJ', `0x0000490d') +define(`IIOCSIGPRF', `0x0000490e') +define(`IIOCGETPRF', `0x0000490f') +define(`IIOCSETPRF', `0x00004910') +define(`IIOCGETMAP', `0x00004911') +define(`IIOCSETMAP', `0x00004912') +define(`IIOCNETASL', `0x00004913') +define(`IIOCNETDIL', `0x00004914') +define(`IIOCGETCPS', `0x00004915') +define(`IIOCGETDVR', `0x00004916') +define(`IIOCNETLCR', `0x00004917') +define(`IIOCNETDWRSET', `0x00004918') +define(`IIOCNETALN', `0x00004920') +define(`IIOCNETDLN', `0x00004921') +define(`IIOCNETGPN', `0x00004922') +define(`IIOCDBGVAR', `0x0000497f') +define(`IIOCDRVCTL', `0x00004980') +define(`ION_IOC_TEST_SET_FD', `0x000049f0') +define(`KIOCSOUND', `0x00004b2f') +define(`KDMKTONE', `0x00004b30') +define(`KDGETLED', `0x00004b31') +define(`KDSETLED', `0x00004b32') +define(`KDGKBTYPE', `0x00004b33') +define(`KDADDIO', `0x00004b34') +define(`KDDELIO', `0x00004b35') +define(`KDENABIO', `0x00004b36') +define(`KDDISABIO', `0x00004b37') +define(`KDSETMODE', `0x00004b3a') +define(`KDGETMODE', `0x00004b3b') +define(`KDMAPDISP', `0x00004b3c') +define(`KDUNMAPDISP', `0x00004b3d') +define(`GIO_SCRNMAP', `0x00004b40') +define(`PIO_SCRNMAP', `0x00004b41') +define(`KDGKBMODE', `0x00004b44') +define(`KDSKBMODE', `0x00004b45') +define(`KDGKBENT', `0x00004b46') +define(`KDSKBENT', `0x00004b47') +define(`KDGKBSENT', `0x00004b48') +define(`KDSKBSENT', `0x00004b49') +define(`KDGKBDIACR', `0x00004b4a') +define(`KDSKBDIACR', `0x00004b4b') +define(`KDGETKEYCODE', `0x00004b4c') +define(`KDSETKEYCODE', `0x00004b4d') +define(`KDSIGACCEPT', `0x00004b4e') +define(`KDKBDREP', `0x00004b52') +define(`GIO_FONT', `0x00004b60') +define(`PIO_FONT', `0x00004b61') +define(`KDGKBMETA', `0x00004b62') +define(`KDSKBMETA', `0x00004b63') +define(`KDGKBLED', `0x00004b64') +define(`KDSKBLED', `0x00004b65') +define(`GIO_UNIMAP', `0x00004b66') +define(`PIO_UNIMAP', `0x00004b67') +define(`PIO_UNIMAPCLR', `0x00004b68') +define(`GIO_UNISCRNMAP', `0x00004b69') +define(`PIO_UNISCRNMAP', `0x00004b6a') +define(`GIO_FONTX', `0x00004b6b') +define(`PIO_FONTX', `0x00004b6c') +define(`PIO_FONTRESET', `0x00004b6d') +define(`GIO_CMAP', `0x00004b70') +define(`PIO_CMAP', `0x00004b71') +define(`KDFONTOP', `0x00004b72') +define(`KDGKBDIACRUC', `0x00004bfa') +define(`KDSKBDIACRUC', `0x00004bfb') +define(`LOOP_SET_FD', `0x00004c00') +define(`LOOP_CLR_FD', `0x00004c01') +define(`LOOP_SET_STATUS', `0x00004c02') +define(`LOOP_GET_STATUS', `0x00004c03') +define(`LOOP_SET_STATUS64', `0x00004c04') +define(`LOOP_GET_STATUS64', `0x00004c05') +define(`LOOP_CHANGE_FD', `0x00004c06') +define(`LOOP_SET_CAPACITY', `0x00004c07') +define(`LOOP_CTL_ADD', `0x00004c80') +define(`LOOP_CTL_REMOVE', `0x00004c81') +define(`LOOP_CTL_GET_FREE', `0x00004c82') +define(`MTDFILEMODE', `0x00004d13') +define(`NVME_IOCTL_ID', `0x00004e40') +define(`UBI_IOCVOLRMBLK', `0x00004f08') +define(`OMAPFB_SYNC_GFX', `0x00004f25') +define(`OMAPFB_VSYNC', `0x00004f26') +define(`OMAPFB_WAITFORVSYNC', `0x00004f39') +define(`OMAPFB_WAITFORGO', `0x00004f3c') +define(`SNDCTL_DSP_RESET', `0x00005000') +define(`SNDCTL_DSP_SYNC', `0x00005001') +define(`SNDCTL_DSP_POST', `0x00005008') +define(`SNDCTL_DSP_NONBLOCK', `0x0000500e') +define(`SNDCTL_DSP_SETSYNCRO', `0x00005015') +define(`SNDCTL_DSP_SETDUPLEX', `0x00005016') +define(`SNDCTL_SEQ_RESET', `0x00005100') +define(`SNDCTL_SEQ_SYNC', `0x00005101') +define(`SNDCTL_SEQ_PANIC', `0x00005111') +define(`RFKILL_IOCTL_NOINPUT', `0x00005201') +define(`RNDZAPENTCNT', `0x00005204') +define(`RNDCLEARPOOL', `0x00005206') +define(`CDROMPAUSE', `0x00005301') +define(`CDROMRESUME', `0x00005302') +define(`CDROMPLAYMSF', `0x00005303') +define(`CDROMPLAYTRKIND', `0x00005304') +define(`CDROMREADTOCHDR', `0x00005305') +define(`CDROMREADTOCENTRY', `0x00005306') +define(`CDROMSTOP', `0x00005307') +define(`CDROMSTART', `0x00005308') +define(`CDROMEJECT', `0x00005309') +define(`CDROMVOLCTRL', `0x0000530a') +define(`CDROMSUBCHNL', `0x0000530b') +define(`CDROMREADMODE2', `0x0000530c') +define(`CDROMREADMODE1', `0x0000530d') +define(`CDROMREADAUDIO', `0x0000530e') +define(`CDROMEJECT_SW', `0x0000530f') +define(`CDROMMULTISESSION', `0x00005310') +define(`CDROM_GET_MCN', `0x00005311') +define(`CDROMRESET', `0x00005312') +define(`CDROMVOLREAD', `0x00005313') +define(`CDROMREADRAW', `0x00005314') +define(`CDROMREADCOOKED', `0x00005315') +define(`CDROMSEEK', `0x00005316') +define(`CDROMPLAYBLK', `0x00005317') +define(`CDROMREADALL', `0x00005318') +define(`CDROMCLOSETRAY', `0x00005319') +define(`CDROMGETSPINDOWN', `0x0000531d') +define(`CDROMSETSPINDOWN', `0x0000531e') +define(`CDROM_SET_OPTIONS', `0x00005320') +define(`CDROM_CLEAR_OPTIONS', `0x00005321') +define(`CDROM_SELECT_SPEED', `0x00005322') +define(`CDROM_SELECT_DISC', `0x00005323') +define(`CDROM_MEDIA_CHANGED', `0x00005325') +define(`CDROM_DRIVE_STATUS', `0x00005326') +define(`CDROM_DISC_STATUS', `0x00005327') +define(`CDROM_CHANGER_NSLOTS', `0x00005328') +define(`CDROM_LOCKDOOR', `0x00005329') +define(`CDROM_DEBUG', `0x00005330') +define(`CDROM_GET_CAPABILITY', `0x00005331') +define(`SCSI_IOCTL_DOORLOCK', `0x00005380') +define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381') +define(`CDROMAUDIOBUFSIZ', `0x00005382') +define(`SCSI_IOCTL_GET_IDLUN', `0x00005382') +define(`SCSI_IOCTL_PROBE_HOST', `0x00005385') +define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386') +define(`SCSI_IOCTL_GET_PCI', `0x00005387') +define(`DVD_READ_STRUCT', `0x00005390') +define(`DVD_WRITE_STRUCT', `0x00005391') +define(`DVD_AUTH', `0x00005392') +define(`CDROM_SEND_PACKET', `0x00005393') +define(`CDROM_NEXT_WRITABLE', `0x00005394') +define(`CDROM_LAST_WRITTEN', `0x00005395') +define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401)) +define(`SNDCTL_TMR_START', `0x00005402') +define(`TCSETS', `0x00005402') +define(`SNDCTL_TMR_STOP', `0x00005403') +define(`TCSETSW', `0x00005403') +define(`SNDCTL_TMR_CONTINUE', `0x00005404') +define(`TCSETSF', `0x00005404') +define(`TCGETA', `0x00005405') +define(`TCSETA', `0x00005406') +define(`TCSETAW', `0x00005407') +define(`TCSETAF', `0x00005408') +define(`TCSBRK', `0x00005409') +define(`TCXONC', `0x0000540a') +define(`TCFLSH', `0x0000540b') +define(`TIOCEXCL', `0x0000540c') +define(`TIOCNXCL', `0x0000540d') +define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e)) +define(`TIOCGPGRP', `0x0000540f') +define(`TIOCSPGRP', `0x00005410') +define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411)) +define(`TIOCSTI', `0x00005412') +define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413)) +define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414)) +define(`TIOCMGET', `0x00005415') +define(`TIOCMBIS', `0x00005416') +define(`TIOCMBIC', `0x00005417') +define(`TIOCMSET', `0x00005418') +define(`TIOCGSOFTCAR', `0x00005419') +define(`TIOCSSOFTCAR', `0x0000541a') +define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b)) +define(`TIOCLINUX', `0x0000541c') +define(`TIOCCONS', `0x0000541d') +define(`TIOCGSERIAL', `0x0000541e') +define(`TIOCSSERIAL', `0x0000541f') +define(`TIOCPKT', `0x00005420') +define(`FIONBIO', `0x00005421') +define(`TIOCNOTTY', `0x00005422') +define(`TIOCSETD', `0x00005423') +define(`TIOCGETD', `0x00005424') +define(`TCSBRKP', `0x00005425') +define(`TIOCSBRK', `0x00005427') +define(`TIOCCBRK', `0x00005428') +define(`TIOCGSID', `0x00005429') +define(`TIOCGRS485', `0x0000542e') +define(`TIOCSRS485', `0x0000542f') +define(`TCGETX', `0x00005432') +define(`TCSETX', `0x00005433') +define(`TCSETXF', `0x00005434') +define(`TCSETXW', `0x00005435') +define(`TIOCVHANGUP', `0x00005437') +define(`FIONCLEX', `0x00005450') +define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451)) +define(`FIOASYNC', `0x00005452') +define(`TIOCSERCONFIG', `0x00005453') +define(`TIOCSERGWILD', `0x00005454') +define(`TIOCSERSWILD', `0x00005455') +define(`TIOCGLCKTRMIOS', `0x00005456') +define(`TIOCSLCKTRMIOS', `0x00005457') +define(`TIOCSERGSTRUCT', `0x00005458') +define(`TIOCSERGETLSR', `0x00005459') +define(`TIOCSERGETMULTI', `0x0000545a') +define(`TIOCSERSETMULTI', `0x0000545b') +define(`TIOCMIWAIT', `0x0000545c') +define(`TIOCGICOUNT', `0x0000545d') +define(`FIOQSIZE', `0x00005460') +define(`SNDRV_TIMER_IOCTL_START', `0x000054a0') +define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1') +define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2') +define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3') +define(`UI_DEV_CREATE', `0x00005501') +define(`UI_DEV_DESTROY', `0x00005502') +define(`USBDEVFS_DISCARDURB', `0x0000550b') +define(`USBDEVFS_RESET', `0x00005514') +define(`USBDEVFS_DISCONNECT', `0x00005516') +define(`USBDEVFS_CONNECT', `0x00005517') +define(`VT_OPENQRY', `0x00005600') +define(`VIDIOC_RESERVED', `0x00005601') +define(`VT_GETMODE', `0x00005601') +define(`VT_SETMODE', `0x00005602') +define(`VT_GETSTATE', `0x00005603') +define(`VT_SENDSIG', `0x00005604') +define(`VT_RELDISP', `0x00005605') +define(`VT_ACTIVATE', `0x00005606') +define(`VT_WAITACTIVE', `0x00005607') +define(`VT_DISALLOCATE', `0x00005608') +define(`VT_RESIZE', `0x00005609') +define(`VT_RESIZEX', `0x0000560a') +define(`VT_LOCKSWITCH', `0x0000560b') +define(`VT_UNLOCKSWITCH', `0x0000560c') +define(`VT_GETHIFONTMASK', `0x0000560d') +define(`VT_WAITEVENT', `0x0000560e') +define(`VT_SETACTIVATE', `0x0000560f') +define(`VIDIOC_LOG_STATUS', `0x00005646') +define(`ADV7842_CMD_RAM_TEST', `0x000056c0') +define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01') +define(`USBTMC_IOCTL_CLEAR', `0x00005b02') +define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03') +define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04') +define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06') +define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07') +define(`ANDROID_ALARM_WAIT', `0x00006101') +define(`NS_ADJBUFLEV', `0x00006163') +define(`SIOCSIFATMTCP', `0x00006180') +define(`ATMTCP_CREATE', `0x0000618e') +define(`ATMTCP_REMOVE', `0x0000618f') +define(`ATMLEC_CTRL', `0x000061d0') +define(`ATMLEC_DATA', `0x000061d1') +define(`ATMLEC_MCAST', `0x000061d2') +define(`ATMMPC_CTRL', `0x000061d8') +define(`ATMMPC_DATA', `0x000061d9') +define(`SIOCMKCLIP', `0x000061e0') +define(`ATMARPD_CTRL', `0x000061e1') +define(`ATMARP_MKIP', `0x000061e2') +define(`ATMARP_SETENTRY', `0x000061e3') +define(`ATMARP_ENCAP', `0x000061e5') +define(`ATMSIGD_CTRL', `0x000061f0') +define(`BT819_FIFO_RESET_LOW', `0x00006200') +define(`BT819_FIFO_RESET_HIGH', `0x00006201') +define(`CM_IOCSRDR', `0x00006303') +define(`CM_IOCARDOFF', `0x00006304') +define(`BC_REGISTER_LOOPER', `0x0000630b') +define(`BC_ENTER_LOOPER', `0x0000630c') +define(`BC_EXIT_LOOPER', `0x0000630d') +define(`CHIOINITELEM', `0x00006311') +define(`DRM_IOCTL_SET_MASTER', `0x0000641e') +define(`DRM_IOCTL_DROP_MASTER', `0x0000641f') +define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430') +define(`DRM_IOCTL_AGP_RELEASE', `0x00006431') +define(`DRM_IOCTL_I915_FLUSH', `0x00006441') +define(`DRM_IOCTL_R128_CCE_START', `0x00006441') +define(`DRM_IOCTL_RADEON_CP_START', `0x00006441') +define(`DRM_IOCTL_I915_FLIP', `0x00006442') +define(`DRM_IOCTL_MGA_RESET', `0x00006442') +define(`DRM_IOCTL_I810_FLUSH', `0x00006443') +define(`DRM_IOCTL_MGA_SWAP', `0x00006443') +define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443') +define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443') +define(`DRM_IOCTL_I810_GETAGE', `0x00006444') +define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444') +define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444') +define(`DRM_IOCTL_RADEON_RESET', `0x00006445') +define(`DRM_IOCTL_I810_SWAP', `0x00006446') +define(`DRM_IOCTL_R128_RESET', `0x00006446') +define(`DRM_IOCTL_R128_SWAP', `0x00006447') +define(`DRM_IOCTL_RADEON_SWAP', `0x00006447') +define(`DRM_IOCTL_I810_DOCOPY', `0x00006448') +define(`DRM_IOCTL_VIA_FLUSH', `0x00006449') +define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a') +define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b') +define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d') +define(`DRM_IOCTL_I810_FLIP', `0x0000644e') +define(`DRM_IOCTL_RADEON_FLIP', `0x00006452') +define(`DRM_IOCTL_R128_FLIP', `0x00006453') +define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458') +define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458') +define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459') +define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a') +define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500') +define(`FUNCTIONFS_FIFO_STATUS', `0x00006701') +define(`GADGETFS_FIFO_STATUS', `0x00006701') +define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702') +define(`GADGETFS_FIFO_FLUSH', `0x00006702') +define(`FUNCTIONFS_CLEAR_HALT', `0x00006703') +define(`GADGETFS_CLEAR_HALT', `0x00006703') +define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780') +define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781') +define(`HPET_IE_ON', `0x00006801') +define(`HPET_IE_OFF', `0x00006802') +define(`HPET_EPI', `0x00006804') +define(`HPET_DPI', `0x00006805') +define(`LIRC_NOTIFY_DECODE', `0x00006920') +define(`LIRC_SETUP_START', `0x00006921') +define(`LIRC_SETUP_END', `0x00006922') +define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00') +define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01') +define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02') +define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03') +define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04') +define(`KYRO_IOCTL_STRIDE', `0x00006b05') +define(`HSC_RESET', `0x00006b10') +define(`HSC_SET_PM', `0x00006b11') +define(`HSC_SEND_BREAK', `0x00006b12') +define(`MMTIMER_GETOFFSET', `0x00006d00') +define(`MGSL_IOCSTXIDLE', `0x00006d02') +define(`MGSL_IOCGTXIDLE', `0x00006d03') +define(`MGSL_IOCTXENABLE', `0x00006d04') +define(`MMTIMER_GETBITS', `0x00006d04') +define(`MGSL_IOCRXENABLE', `0x00006d05') +define(`MGSL_IOCTXABORT', `0x00006d06') +define(`MMTIMER_MMAPAVAIL', `0x00006d06') +define(`MGSL_IOCGSTATS', `0x00006d07') +define(`MGSL_IOCLOOPTXDONE', `0x00006d09') +define(`MGSL_IOCSIF', `0x00006d0a') +define(`MGSL_IOCGIF', `0x00006d0b') +define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f') +define(`MGSL_IOCSXSYNC', `0x00006d13') +define(`MGSL_IOCGXSYNC', `0x00006d14') +define(`MGSL_IOCSXCTRL', `0x00006d15') +define(`MGSL_IOCGXCTRL', `0x00006d16') +define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03') +define(`AUDIO_STOP', `0x00006f01') +define(`AUDIO_PLAY', `0x00006f02') +define(`AUDIO_PAUSE', `0x00006f03') +define(`AUDIO_CONTINUE', `0x00006f04') +define(`AUDIO_SELECT_SOURCE', `0x00006f05') +define(`AUDIO_SET_MUTE', `0x00006f06') +define(`AUDIO_SET_AV_SYNC', `0x00006f07') +define(`AUDIO_SET_BYPASS_MODE', `0x00006f08') +define(`AUDIO_CHANNEL_SELECT', `0x00006f09') +define(`AUDIO_CLEAR_BUFFER', `0x00006f0c') +define(`AUDIO_SET_ID', `0x00006f0d') +define(`AUDIO_SET_STREAMTYPE', `0x00006f0f') +define(`AUDIO_SET_EXT_ID', `0x00006f10') +define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14') +define(`VIDEO_STOP', `0x00006f15') +define(`VIDEO_PLAY', `0x00006f16') +define(`VIDEO_FREEZE', `0x00006f17') +define(`VIDEO_CONTINUE', `0x00006f18') +define(`VIDEO_SELECT_SOURCE', `0x00006f19') +define(`VIDEO_SET_BLANK', `0x00006f1a') +define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d') +define(`VIDEO_FAST_FORWARD', `0x00006f1f') +define(`VIDEO_SLOWMOTION', `0x00006f20') +define(`VIDEO_CLEAR_BUFFER', `0x00006f22') +define(`VIDEO_SET_ID', `0x00006f23') +define(`VIDEO_SET_STREAMTYPE', `0x00006f24') +define(`VIDEO_SET_FORMAT', `0x00006f25') +define(`VIDEO_SET_SYSTEM', `0x00006f26') +define(`DMX_START', `0x00006f29') +define(`DMX_STOP', `0x00006f2a') +define(`DMX_SET_BUFFER_SIZE', `0x00006f2d') +define(`NET_REMOVE_IF', `0x00006f35') +define(`VIDEO_SET_ATTRIBUTES', `0x00006f35') +define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e') +define(`FE_DISEQC_SEND_BURST', `0x00006f41') +define(`FE_SET_TONE', `0x00006f42') +define(`FE_SET_VOLTAGE', `0x00006f43') +define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44') +define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50') +define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51') +define(`CA_RESET', `0x00006f80') +define(`RTC_AIE_ON', `0x00007001') +define(`RTC_AIE_OFF', `0x00007002') +define(`RTC_UIE_ON', `0x00007003') +define(`PHN_NOT_OH', `0x00007004') +define(`RTC_UIE_OFF', `0x00007004') +define(`RTC_PIE_ON', `0x00007005') +define(`RTC_PIE_OFF', `0x00007006') +define(`RTC_WIE_ON', `0x0000700f') +define(`RTC_WIE_OFF', `0x00007010') +define(`RTC_VL_CLR', `0x00007014') +define(`NVRAM_INIT', `0x00007040') +define(`NVRAM_SETCKS', `0x00007041') +define(`PPCLAIM', `0x0000708b') +define(`PPRELEASE', `0x0000708c') +define(`PPYIELD', `0x0000708d') +define(`PPEXCL', `0x0000708f') +define(`PHONE_CAPABILITIES', `0x00007180') +define(`PHONE_RING', `0x00007183') +define(`PHONE_HOOKSTATE', `0x00007184') +define(`OLD_PHONE_RING_START', `0x00007187') +define(`PHONE_RING_STOP', `0x00007188') +define(`PHONE_REC_START', `0x0000718a') +define(`PHONE_REC_STOP', `0x0000718b') +define(`PHONE_REC_LEVEL', `0x0000718f') +define(`PHONE_PLAY_START', `0x00007191') +define(`PHONE_PLAY_STOP', `0x00007192') +define(`PHONE_PLAY_LEVEL', `0x00007195') +define(`PHONE_GET_TONE_ON_TIME', `0x0000719e') +define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f') +define(`PHONE_GET_TONE_STATE', `0x000071a0') +define(`PHONE_BUSY', `0x000071a1') +define(`PHONE_RINGBACK', `0x000071a2') +define(`PHONE_DIALTONE', `0x000071a3') +define(`PHONE_CPT_STOP', `0x000071a4') +define(`PHONE_PSTN_GET_STATE', `0x000071a5') +define(`PHONE_PSTN_LINETEST', `0x000071a8') +define(`IXJCTL_DSP_RESET', `0x000071c0') +define(`IXJCTL_DSP_IDLE', `0x000071c5') +define(`IXJCTL_TESTRAM', `0x000071c6') +define(`IXJCTL_AEC_STOP', `0x000071cc') +define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd') +define(`IXJCTL_PSTN_LINETEST', `0x000071d3') +define(`IXJCTL_PLAY_CID', `0x000071d7') +define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7') +define(`BR_OK', `0x00007201') +define(`BR_DEAD_REPLY', `0x00007205') +define(`BR_TRANSACTION_COMPLETE', `0x00007206') +define(`BR_NOOP', `0x0000720c') +define(`BR_SPAWN_LOOPER', `0x0000720d') +define(`BR_FINISHED', `0x0000720e') +define(`BR_FAILED_REPLY', `0x00007211') +define(`MEYEIOC_STILLCAPT', `0x000076c4') +define(`ASHMEM_GET_SIZE', `0x00007704') +define(`ASHMEM_GET_PROT_MASK', `0x00007706') +define(`ASHMEM_GET_PIN_STATUS', `0x00007709') +define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a') +define(`FIOSETOWN', `0x00008901') +define(`SIOCSPGRP', `0x00008902') +define(`FIOGETOWN', `0x00008903') +define(`SIOCGPGRP', `0x00008904') +define(`SIOCATMARK', `0x00008905') +define(`SIOCGSTAMP', `0x00008906') +define(`SIOCGSTAMPNS', `0x00008907') +define(`SIOCADDRT', `0x0000890b') +define(`SIOCDELRT', `0x0000890c') +define(`SIOCRTMSG', `0x0000890d') +define(`SIOCGIFNAME', `0x00008910') +define(`SIOCSIFLINK', `0x00008911') +define(`SIOCGIFCONF', `0x00008912') +define(`SIOCGIFFLAGS', `0x00008913') +define(`SIOCSIFFLAGS', `0x00008914') +define(`SIOCGIFADDR', `0x00008915') +define(`SIOCSIFADDR', `0x00008916') +define(`SIOCGIFDSTADDR', `0x00008917') +define(`SIOCSIFDSTADDR', `0x00008918') +define(`SIOCGIFBRDADDR', `0x00008919') +define(`SIOCSIFBRDADDR', `0x0000891a') +define(`SIOCGIFNETMASK', `0x0000891b') +define(`SIOCSIFNETMASK', `0x0000891c') +define(`SIOCGIFMETRIC', `0x0000891d') +define(`SIOCSIFMETRIC', `0x0000891e') +define(`SIOCGIFMEM', `0x0000891f') +define(`SIOCSIFMEM', `0x00008920') +define(`SIOCGIFMTU', `0x00008921') +define(`SIOCSIFMTU', `0x00008922') +define(`SIOCSIFNAME', `0x00008923') +define(`SIOCSIFHWADDR', `0x00008924') +define(`SIOCGIFENCAP', `0x00008925') +define(`SIOCSIFENCAP', `0x00008926') +define(`SIOCGIFHWADDR', `0x00008927') +define(`SIOCGIFSLAVE', `0x00008929') +define(`SIOCSIFSLAVE', `0x00008930') +define(`SIOCADDMULTI', `0x00008931') +define(`SIOCDELMULTI', `0x00008932') +define(`SIOCGIFINDEX', `0x00008933') +define(`SIOCSIFPFLAGS', `0x00008934') +define(`SIOCGIFPFLAGS', `0x00008935') +define(`SIOCDIFADDR', `0x00008936') +define(`SIOCSIFHWBROADCAST', `0x00008937') +define(`SIOCGIFCOUNT', `0x00008938') +define(`SIOCKILLADDR', `0x00008939') +define(`SIOCGIFBR', `0x00008940') +define(`SIOCSIFBR', `0x00008941') +define(`SIOCGIFTXQLEN', `0x00008942') +define(`SIOCSIFTXQLEN', `0x00008943') +define(`SIOCETHTOOL', `0x00008946') +define(`SIOCGMIIPHY', `0x00008947') +define(`SIOCGMIIREG', `0x00008948') +define(`SIOCSMIIREG', `0x00008949') +define(`SIOCWANDEV', `0x0000894a') +define(`SIOCOUTQNSD', `0x0000894b') +define(`SIOCDARP', `0x00008953') +define(`SIOCGARP', `0x00008954') +define(`SIOCSARP', `0x00008955') +define(`SIOCDRARP', `0x00008960') +define(`SIOCGRARP', `0x00008961') +define(`SIOCSRARP', `0x00008962') +define(`SIOCGIFMAP', `0x00008970') +define(`SIOCSIFMAP', `0x00008971') +define(`SIOCADDDLCI', `0x00008980') +define(`SIOCDELDLCI', `0x00008981') +define(`SIOCGIFVLAN', `0x00008982') +define(`SIOCSIFVLAN', `0x00008983') +define(`SIOCBONDENSLAVE', `0x00008990') +define(`SIOCBONDRELEASE', `0x00008991') +define(`SIOCBONDSETHWADDR', `0x00008992') +define(`SIOCBONDSLAVEINFOQUERY', `0x00008993') +define(`SIOCBONDINFOQUERY', `0x00008994') +define(`SIOCBONDCHANGEACTIVE', `0x00008995') +define(`SIOCBRADDBR', `0x000089a0') +define(`SIOCBRDELBR', `0x000089a1') +define(`SIOCBRADDIF', `0x000089a2') +define(`SIOCBRDELIF', `0x000089a3') +define(`SIOCSHWTSTAMP', `0x000089b0') +define(`SIOCGHWTSTAMP', `0x000089b1') +define(`SIOCPROTOPRIVATE', `0x000089e0') +define(`SIOCPROTOPRIVATE_1', `0x000089e1') +define(`SIOCPROTOPRIVATE_2', `0x000089e2') +define(`SIOCPROTOPRIVATE_3', `0x000089e3') +define(`SIOCPROTOPRIVATE_4', `0x000089e4') +define(`SIOCPROTOPRIVATE_5', `0x000089e5') +define(`SIOCPROTOPRIVATE_6', `0x000089e6') +define(`SIOCPROTOPRIVATE_7', `0x000089e7') +define(`SIOCPROTOPRIVATE_8', `0x000089e8') +define(`SIOCPROTOPRIVATE_9', `0x000089e9') +define(`SIOCPROTOPRIVATE_A', `0x000089ea') +define(`SIOCPROTOPRIVATE_B', `0x000089eb') +define(`SIOCPROTOPRIVATE_C', `0x000089ec') +define(`SIOCPROTOPRIVATE_D', `0x000089ed') +define(`SIOCPROTOPRIVATE_E', `0x000089ee') +define(`SIOCPROTOPRIVLAST', `0x000089ef') +define(`SIOCDEVPRIVATE', `0x000089f0') +define(`SIOCDEVPRIVATE_1', `0x000089f1') +define(`SIOCDEVPRIVATE_2', `0x000089f2') +define(`SIOCDEVPRIVATE_3', `0x000089f3') +define(`SIOCDEVPRIVATE_4', `0x000089f4') +define(`SIOCDEVPRIVATE_5', `0x000089f5') +define(`SIOCDEVPRIVATE_6', `0x000089f6') +define(`SIOCDEVPRIVATE_7', `0x000089f7') +define(`SIOCDEVPRIVATE_8', `0x000089f8') +define(`SIOCDEVPRIVATE_9', `0x000089f9') +define(`SIOCDEVPRIVATE_A', `0x000089fa') +define(`SIOCDEVPRIVATE_B', `0x000089fb') +define(`SIOCDEVPRIVATE_C', `0x000089fc') +define(`SIOCDEVPRIVATE_D', `0x000089fd') +define(`SIOCDEVPRIVATE_E', `0x000089fe') +define(`SIOCDEVPRIVLAST', `0x000089ff') +define(`SIOCIWFIRST', `0x00008b00') +define(`SIOCSIWCOMMIT', `0x00008b00') +define(`SIOCGIWNAME', `0x00008b01') +define(`SIOCSIWNWID', `0x00008b02') +define(`SIOCGIWNWID', `0x00008b03') +define(`SIOCSIWFREQ', `0x00008b04') +define(`SIOCGIWFREQ', `0x00008b05') +define(`SIOCSIWMODE', `0x00008b06') +define(`SIOCGIWMODE', `0x00008b07') +define(`SIOCSIWSENS', `0x00008b08') +define(`SIOCGIWSENS', `0x00008b09') +define(`SIOCSIWRANGE', `0x00008b0a') +define(`SIOCGIWRANGE', `0x00008b0b') +define(`SIOCSIWPRIV', `0x00008b0c') +define(`SIOCGIWPRIV', `0x00008b0d') +define(`SIOCSIWSTATS', `0x00008b0e') +define(`SIOCGIWSTATS', `0x00008b0f') +define(`SIOCSIWSPY', `0x00008b10') +define(`SIOCGIWSPY', `0x00008b11') +define(`SIOCSIWTHRSPY', `0x00008b12') +define(`SIOCGIWTHRSPY', `0x00008b13') +define(`SIOCSIWAP', `0x00008b14') +define(`SIOCGIWAP', `0x00008b15') +define(`SIOCSIWMLME', `0x00008b16') +define(`SIOCGIWAPLIST', `0x00008b17') +define(`SIOCSIWSCAN', `0x00008b18') +define(`SIOCGIWSCAN', `0x00008b19') +define(`SIOCSIWESSID', `0x00008b1a') +define(`SIOCGIWESSID', `0x00008b1b') +define(`SIOCSIWNICKN', `0x00008b1c') +define(`SIOCGIWNICKN', `0x00008b1d') +define(`SIOCSIWRATE', `0x00008b20') +define(`SIOCGIWRATE', `0x00008b21') +define(`SIOCSIWRTS', `0x00008b22') +define(`SIOCGIWRTS', `0x00008b23') +define(`SIOCSIWFRAG', `0x00008b24') +define(`SIOCGIWFRAG', `0x00008b25') +define(`SIOCSIWTXPOW', `0x00008b26') +define(`SIOCGIWTXPOW', `0x00008b27') +define(`SIOCSIWRETRY', `0x00008b28') +define(`SIOCGIWRETRY', `0x00008b29') +define(`SIOCSIWENCODE', `0x00008b2a') +define(`SIOCGIWENCODE', `0x00008b2b') +define(`SIOCSIWPOWER', `0x00008b2c') +define(`SIOCGIWPOWER', `0x00008b2d') +define(`SIOCSIWGENIE', `0x00008b30') +define(`SIOCGIWGENIE', `0x00008b31') +define(`SIOCSIWAUTH', `0x00008b32') +define(`SIOCGIWAUTH', `0x00008b33') +define(`SIOCSIWENCODEEXT', `0x00008b34') +define(`SIOCGIWENCODEEXT', `0x00008b35') +define(`SIOCSIWPMKSA', `0x00008b36') +define(`SIOCIWFIRSTPRIV', `0x00008be0') +define(`SIOCIWFIRSTPRIV_01', `0x00008be1') +define(`SIOCIWFIRSTPRIV_02', `0x00008be2') +define(`SIOCIWFIRSTPRIV_03', `0x00008be3') +define(`SIOCIWFIRSTPRIV_04', `0x00008be4') +define(`SIOCIWFIRSTPRIV_05', `0x00008be5') +define(`SIOCIWFIRSTPRIV_06', `0x00008be6') +define(`SIOCIWFIRSTPRIV_07', `0x00008be7') +define(`SIOCIWFIRSTPRIV_08', `0x00008be8') +define(`SIOCIWFIRSTPRIV_09', `0x00008be9') +define(`SIOCIWFIRSTPRIV_0A', `0x00008bea') +define(`SIOCIWFIRSTPRIV_0B', `0x00008beb') +define(`SIOCIWFIRSTPRIV_0C', `0x00008bec') +define(`SIOCIWFIRSTPRIV_0D', `0x00008bed') +define(`SIOCIWFIRSTPRIV_0E', `0x00008bee') +define(`SIOCIWFIRSTPRIV_0F', `0x00008bef') +define(`SIOCIWFIRSTPRIV_10', `0x00008bf0') +define(`SIOCIWFIRSTPRIV_11', `0x00008bf1') +define(`SIOCIWFIRSTPRIV_12', `0x00008bf2') +define(`SIOCIWFIRSTPRIV_13', `0x00008bf3') +define(`SIOCIWFIRSTPRIV_14', `0x00008bf4') +define(`SIOCIWFIRSTPRIV_15', `0x00008bf5') +define(`SIOCIWFIRSTPRIV_16', `0x00008bf6') +define(`SIOCIWFIRSTPRIV_17', `0x00008bf7') +define(`SIOCIWFIRSTPRIV_18', `0x00008bf8') +define(`SIOCIWFIRSTPRIV_19', `0x00008bf9') +define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa') +define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb') +define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc') +define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd') +define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe') +define(`SIOCIWLASTPRIV', `0x00008bff') +define(`AUTOFS_IOC_READY', `0x00009360') +define(`AUTOFS_IOC_FAIL', `0x00009361') +define(`AUTOFS_IOC_CATATONIC', `0x00009362') +define(`BTRFS_IOC_TRANS_START', `0x00009406') +define(`BTRFS_IOC_TRANS_END', `0x00009407') +define(`BTRFS_IOC_SYNC', `0x00009408') +define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c') +define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e') +define(`NBD_SET_SOCK', `0x0000ab00') +define(`NBD_SET_BLKSIZE', `0x0000ab01') +define(`NBD_SET_SIZE', `0x0000ab02') +define(`NBD_DO_IT', `0x0000ab03') +define(`NBD_CLEAR_SOCK', `0x0000ab04') +define(`NBD_CLEAR_QUE', `0x0000ab05') +define(`NBD_PRINT_DEBUG', `0x0000ab06') +define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07') +define(`NBD_DISCONNECT', `0x0000ab08') +define(`NBD_SET_TIMEOUT', `0x0000ab09') +define(`NBD_SET_FLAGS', `0x0000ab0a') +define(`RAW_SETBIND', `0x0000ac00') +define(`RAW_GETBIND', `0x0000ac01') +define(`KVM_GET_API_VERSION', `0x0000ae00') +define(`KVM_CREATE_VM', `0x0000ae01') +define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01') +define(`LOGGER_GET_LOG_LEN', `0x0000ae02') +define(`KVM_CHECK_EXTENSION', `0x0000ae03') +define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03') +define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04') +define(`LOGGER_FLUSH_LOG', `0x0000ae04') +define(`LOGGER_GET_VERSION', `0x0000ae05') +define(`KVM_S390_ENABLE_SIE', `0x0000ae06') +define(`LOGGER_SET_VERSION', `0x0000ae06') +define(`KVM_CREATE_VCPU', `0x0000ae41') +define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44') +define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45') +define(`KVM_SET_TSS_ADDR', `0x0000ae47') +define(`KVM_CREATE_IRQCHIP', `0x0000ae60') +define(`KVM_CREATE_PIT', `0x0000ae64') +define(`KVM_REINJECT_CONTROL', `0x0000ae71') +define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78') +define(`KVM_RUN', `0x0000ae80') +define(`KVM_S390_INITIAL_RESET', `0x0000ae97') +define(`KVM_NMI', `0x0000ae9a') +define(`KVM_SET_TSC_KHZ', `0x0000aea2') +define(`KVM_GET_TSC_KHZ', `0x0000aea3') +define(`KVM_KVMCLOCK_CTRL', `0x0000aead') +define(`VHOST_SET_OWNER', `0x0000af01') +define(`VHOST_RESET_OWNER', `0x0000af02') +define(`PPPOEIOCDFWD', `0x0000b101') +define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500') +define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502') +define(`IOCTL_EVTCHN_UNBIND', `0x00044503') +define(`IOCTL_EVTCHN_NOTIFY', `0x00044504') +define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501') +define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344') +define(`MFB_SET_ALPHA', `0x40014d00') +define(`MFB_SET_GAMMA', `0x40014d01') +define(`MFB_SET_BRIGHTNESS', `0x40014d03') +define(`SPI_IOC_WR_MODE', `0x40016b01') +define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02') +define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03') +define(`PPWCONTROL', `0x40017084') +define(`PPWDATA', `0x40017086') +define(`PPWCTLONIRQ', `0x40017092') +define(`PHONE_MAXRINGS', `0x40017185') +define(`PHONE_PLAY_TONE', `0x4001719b') +define(`SONYPI_IOCSBRT', `0x40017600') +define(`SONYPI_IOCSBLUE', `0x40017609') +define(`SONYPI_IOCSFAN', `0x4001760b') +define(`ATM_SETBACKEND', `0x400261f2') +define(`ATM_NEWBACKENDIF', `0x400261f3') +define(`NCP_IOC_GETMOUNTUID', `0x40026e02') +define(`AUDIO_SET_ATTRIBUTES', `0x40026f11') +define(`DMX_ADD_PID', `0x40026f33') +define(`DMX_REMOVE_PID', `0x40026f34') +define(`PPFCONTROL', `0x4002708e') +define(`PHONE_RING_CADENCE', `0x40027186') +define(`SET_BITMAP_FILE', `0x4004092b') +define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02') +define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303') +define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305') +define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307') +define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b') +define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e') +define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318') +define(`BLKI2OSRSTRAT', `0x40043203') +define(`BLKI2OSWSTRAT', `0x40043204') +define(`SNAPSHOT_CREATE_IMAGE', `0x40043311') +define(`PTP_ENABLE_PPS', `0x40043d04') +define(`SYNC_IOC_WAIT', `0x40043e00') +define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102') +define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103') +define(`AGPIOC_DEALLOCATE', `0x40044107') +define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145') +define(`SNDRV_PCM_IOCTL_LINK', `0x40044160') +define(`CCISS_REGNEWDISK', `0x4004420d') +define(`EVIOCRMFF', `0x40044581') +define(`EVIOCGRAB', `0x40044590') +define(`EVIOCREVOKE', `0x40044591') +define(`EVIOCSCLOCKID', `0x400445a0') +define(`FBIOPUT_CONTRAST', `0x40044602') +define(`FBIPUT_BRIGHTNESS', `0x40044603') +define(`FBIPUT_COLOR', `0x40044606') +define(`FBIPUT_HSYNC', `0x40044609') +define(`FBIPUT_VSYNC', `0x4004460a') +define(`FBIO_WAITFORVSYNC', `0x40044620') +define(`SSTFB_SET_VGAPASS', `0x400446dd') +define(`HIDIOCSFLAG', `0x4004480f') +define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820') +define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825') +define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826') +define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883') +define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884') +define(`HCIDEVUP', `0x400448c9') +define(`HCIDEVDOWN', `0x400448ca') +define(`HCIDEVRESET', `0x400448cb') +define(`HCIDEVRESTAT', `0x400448cc') +define(`HCISETRAW', `0x400448dc') +define(`HCISETSCAN', `0x400448dd') +define(`HCISETAUTH', `0x400448de') +define(`HCISETENCRYPT', `0x400448df') +define(`HCISETPTYPE', `0x400448e0') +define(`HCISETLINKPOL', `0x400448e1') +define(`HCISETLINKMODE', `0x400448e2') +define(`HCISETACLMTU', `0x400448e3') +define(`HCISETSCOMTU', `0x400448e4') +define(`HCIBLOCKADDR', `0x400448e6') +define(`HCIUNBLOCKADDR', `0x400448e7') +define(`MFB_SET_PIXFMT', `0x40044d08') +define(`OTPGETREGIONCOUNT', `0x40044d0e') +define(`UBI_IOCEBER', `0x40044f01') +define(`UBI_IOCEBCH', `0x40044f02') +define(`UBI_IOCEBUNMAP', `0x40044f04') +define(`OMAPFB_MIRROR', `0x40044f1f') +define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28') +define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b') +define(`OMAPFB_LCD_TEST', `0x40044f2d') +define(`OMAPFB_CTRL_TEST', `0x40044f2e') +define(`SNDCTL_DSP_SETTRIGGER', `0x40045010') +define(`SNDCTL_DSP_PROFILE', `0x40045017') +define(`SNDCTL_DSP_SETSPDIF', `0x40045042') +define(`SNDCTL_SEQ_PERCMODE', `0x40045106') +define(`SNDCTL_SEQ_TESTMIDI', `0x40045108') +define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109') +define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d') +define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f') +define(`RNDADDTOENTCNT', `0x40045201') +define(`SAA6588_CMD_CLOSE', `0x40045202') +define(`RFCOMMCREATEDEV', `0x400452c8') +define(`RFCOMMRELEASEDEV', `0x400452c9') +define(`RFCOMMSTEALDLC', `0x400452dc') +define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402') +define(`SNDCTL_TMR_METRONOME', `0x40045407') +define(`SNDCTL_TMR_SELECT', `0x40045408') +define(`TIOCSPTLCK', `0x40045431') +define(`TIOCSIG', `0x40045436') +define(`TUNSETNOCSUM', `0x400454c8') +define(`TUNSETDEBUG', `0x400454c9') +define(`TUNSETIFF', `0x400454ca') +define(`TUNSETPERSIST', `0x400454cb') +define(`TUNSETOWNER', `0x400454cc') +define(`TUNSETLINK', `0x400454cd') +define(`TUNSETGROUP', `0x400454ce') +define(`TUNSETOFFLOAD', `0x400454d0') +define(`TUNSETTXFILTER', `0x400454d1') +define(`TUNSETSNDBUF', `0x400454d4') +define(`TUNSETVNETHDRSZ', `0x400454d8') +define(`TUNSETQUEUE', `0x400454d9') +define(`TUNSETIFINDEX', `0x400454da') +define(`TUNSETVNETLE', `0x400454dc') +define(`USBDEVFS_REAPURB32', `0x4004550c') +define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d') +define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532') +define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542') +define(`UI_SET_EVBIT', `0x40045564') +define(`UI_SET_KEYBIT', `0x40045565') +define(`UI_SET_RELBIT', `0x40045566') +define(`UI_SET_ABSBIT', `0x40045567') +define(`UI_SET_MSCBIT', `0x40045568') +define(`UI_SET_LEDBIT', `0x40045569') +define(`UI_SET_SNDBIT', `0x4004556a') +define(`UI_SET_FFBIT', `0x4004556b') +define(`UI_SET_SWBIT', `0x4004556d') +define(`UI_SET_PROPBIT', `0x4004556e') +define(`VIDIOC_OVERLAY', `0x4004560e') +define(`VIDIOC_STREAMON', `0x40045612') +define(`VIDIOC_STREAMOFF', `0x40045613') +define(`VIDIOC_S_PRIORITY', `0x40045644') +define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1') +define(`SW_SYNC_IOC_INC', `0x40045701') +define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730') +define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731') +define(`SONET_SETFRAMING', `0x40046115') +define(`ATM_SETSC', `0x400461f1') +define(`ATM_DROPPARTY', `0x400461f5') +define(`BINDER_SET_MAX_THREADS', `0x40046205') +define(`BINDER_SET_IDLE_PRIORITY', `0x40046206') +define(`BINDER_SET_CONTEXT_MGR', `0x40046207') +define(`BINDER_THREAD_EXIT', `0x40046208') +define(`BC_ACQUIRE_RESULT', `0x40046302') +define(`BC_INCREFS', `0x40046304') +define(`BC_ACQUIRE', `0x40046305') +define(`CHIOSPICKER', `0x40046305') +define(`BC_RELEASE', `0x40046306') +define(`BC_DECREFS', `0x40046307') +define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411') +define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445') +define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445') +define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446') +define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a') +define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c') +define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d') +define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450') +define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457') +define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b') +define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460') +define(`VIDIOC_INT_RESET', `0x40046466') +define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483') +define(`FS_IOC32_SETFLAGS', `0x40046602') +define(`LIRC_SET_SEND_MODE', `0x40046911') +define(`LIRC_SET_REC_MODE', `0x40046912') +define(`LIRC_SET_SEND_CARRIER', `0x40046913') +define(`LIRC_SET_REC_CARRIER', `0x40046914') +define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915') +define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916') +define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917') +define(`LIRC_SET_REC_TIMEOUT', `0x40046918') +define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919') +define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a') +define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b') +define(`LIRC_SET_REC_FILTER', `0x4004691c') +define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d') +define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e') +define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f') +define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f') +define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923') +define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04') +define(`SPI_IOC_WR_MODE32', `0x40046b05') +define(`MSMFB_GRP_DISP', `0x40046d01') +define(`MSMFB_BLIT', `0x40046d02') +define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06') +define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c') +define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa') +define(`UBI_IOCRMVOL', `0x40046f01') +define(`DMX_SET_SOURCE', `0x40046f31') +define(`UBI_IOCDET', `0x40046f41') +define(`PPSETMODE', `0x40047080') +define(`PPDATADIR', `0x40047090') +define(`PPNEGOT', `0x40047091') +define(`PPSETPHASE', `0x40047094') +define(`PPSETFLAGS', `0x4004709b') +define(`PHONE_REC_CODEC', `0x40047189') +define(`PHONE_REC_DEPTH', `0x4004718c') +define(`PHONE_FRAME', `0x4004718d') +define(`PHONE_REC_VOLUME', `0x4004718e') +define(`PHONE_PLAY_CODEC', `0x40047190') +define(`PHONE_PLAY_DEPTH', `0x40047193') +define(`PHONE_PLAY_VOLUME', `0x40047194') +define(`PHONE_DTMF_OOB', `0x40047199') +define(`PHONE_SET_TONE_ON_TIME', `0x4004719c') +define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d') +define(`PHONE_PSTN_SET_STATE', `0x400471a4') +define(`PHONE_WINK_DURATION', `0x400471a6') +define(`PHONE_VAD', `0x400471a9') +define(`PHONE_WINK', `0x400471aa') +define(`IXJCTL_GET_FILTER_HIST', `0x400471c8') +define(`IXJCTL_AEC_START', `0x400471cb') +define(`IXJCTL_SET_LED', `0x400471ce') +define(`IXJCTL_MIXER', `0x400471cf') +define(`IXJCTL_DAA_COEFF_SET', `0x400471d0') +define(`IXJCTL_PORT', `0x400471d1') +define(`IXJCTL_DAA_AGAIN', `0x400471d2') +define(`IXJCTL_POTS_PSTN', `0x400471d5') +define(`PHONE_REC_VOLUME_LINEAR', `0x400471db') +define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc') +define(`IXJCTL_HZ', `0x400471e0') +define(`IXJCTL_RATE', `0x400471e1') +define(`IXJCTL_DTMF_PRESCALE', `0x400471e8') +define(`IXJCTL_SC_RXG', `0x400471ea') +define(`IXJCTL_SC_TXG', `0x400471eb') +define(`IXJCTL_INTERCOM_START', `0x400471fd') +define(`IXJCTL_INTERCOM_STOP', `0x400471fe') +define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211') +define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600') +define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601') +define(`FS_IOC32_SETVERSION', `0x40047602') +define(`MEYEIOC_QBUF_CAPT', `0x400476c2') +define(`OSIOCSNETADDR', `0x400489e0') +define(`SIOCSNETADDR', `0x400489e0') +define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366') +define(`BTRFS_IOC_CLONE', `0x40049409') +define(`BTRFS_IOC_BALANCE_CTL', `0x40049421') +define(`KVM_INTERRUPT', `0x4004ae86') +define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b') +define(`KVM_SET_MP_STATE', `0x4004ae99') +define(`VHOST_SET_LOG_FD', `0x4004af07') +define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42') +define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43') +define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44') +define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303') +define(`SISFB_SET_TVPOSOFFSET', `0x4004f304') +define(`SISFB_SET_LOCK', `0x4004f306') +define(`GIGASET_BRKCHARS', `0x40064702') +define(`MEYEIOC_S_PARAMS', `0x400676c1') +define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f') +define(`BLKBSZSET', `0x40081271') +define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316') +define(`PERF_EVENT_IOC_PERIOD', `0x40082404') +define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406') +define(`FBIO_RADEON_SET_MIRROR', `0x40084004') +define(`AGPIOC_SETUP', `0x40084103') +define(`AGPIOC_RESERVE', `0x40084104') +define(`AGPIOC_PROTECT', `0x40084105') +define(`AGPIOC_BIND', `0x40084108') +define(`AGPIOC_UNBIND', `0x40084109') +define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146') +define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149') +define(`PMU_IOC_SET_BACKLIGHT', `0x40084202') +define(`CCISS_SETINTINFO', `0x40084203') +define(`APEI_ERST_CLEAR_RECORD', `0x40084501') +define(`EVIOCSREP', `0x40084503') +define(`EVIOCSKEYCODE', `0x40084504') +define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813') +define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842') +define(`MEMERASE', `0x40084d02') +define(`MFB_SET_AOID', `0x40084d04') +define(`MEMLOCK', `0x40084d05') +define(`MEMUNLOCK', `0x40084d06') +define(`MEMGETBADBLOCK', `0x40084d0b') +define(`MEMSETBADBLOCK', `0x40084d0c') +define(`UBI_IOCVOLUP', `0x40084f00') +define(`UBI_IOCEBMAP', `0x40084f03') +define(`OMAPFB_SETUP_MEM', `0x40084f37') +define(`OMAPFB_QUERY_MEM', `0x40084f38') +define(`OMAPFB_SET_TEARSYNC', `0x40084f3e') +define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112') +define(`RNDADDENTROPY', `0x40085203') +define(`TFD_IOC_SET_TICKS', `0x40085400') +define(`USBDEVFS_REAPURB', `0x4008550c') +define(`USBDEVFS_REAPURBNDELAY', `0x4008550d') +define(`USBDEVFS_CONNECTINFO', `0x40085511') +define(`UI_SET_PHYS', `0x4008556c') +define(`VIDIOC_S_STD', `0x40085618') +define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1') +define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203') +define(`CM_IOCSPTS', `0x40086302') +define(`BC_FREE_BUFFER', `0x40086303') +define(`BC_ATTEMPT_ACQUIRE', `0x4008630a') +define(`BC_DEAD_BINDER_DONE', `0x40086310') +define(`CM_IOSDBGLVL', `0x400863fa') +define(`DRM_IOCTL_MODESET_CTL', `0x40086408') +define(`DRM_IOCTL_GEM_CLOSE', `0x40086409') +define(`DRM_IOCTL_CONTROL', `0x40086414') +define(`DRM_IOCTL_MOD_CTX', `0x40086422') +define(`DRM_IOCTL_SWITCH_CTX', `0x40086424') +define(`DRM_IOCTL_NEW_CTX', `0x40086425') +define(`DRM_IOCTL_LOCK', `0x4008642a') +define(`DRM_IOCTL_UNLOCK', `0x4008642b') +define(`DRM_IOCTL_FINISH', `0x4008642c') +define(`DRM_IOCTL_AGP_ENABLE', `0x40086432') +define(`DRM_IOCTL_MGA_FLUSH', `0x40086441') +define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442') +define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442') +define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443') +define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444') +define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445') +define(`DRM_IOCTL_I915_SETPARAM', `0x40086447') +define(`DRM_IOCTL_I915_FREE', `0x40086449') +define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c') +define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d') +define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f') +define(`DRM_IOCTL_RADEON_FREE', `0x40086454') +define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456') +define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464') +define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e') +define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f') +define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482') +define(`FS_IOC_SETFLAGS', `0x40086602') +define(`HPET_IRQFREQ', `0x40086806') +define(`MTIOCTOP', `0x40086d01') +define(`NCP_IOC_GETMOUNTUID2', `0x40086e02') +define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81') +define(`NILFS_IOCTL_RESIZE', `0x40086e8b') +define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8') +define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa') +define(`AUDIO_SET_MIXER', `0x40086f0e') +define(`VIDEO_SET_SPU', `0x40086f32') +define(`CA_SET_PID', `0x40086f87') +define(`PHN_SET_REG', `0x40087001') +define(`PHN_SET_REGS', `0x40087003') +define(`PHN_SETREG', `0x40087006') +define(`RTC_IRQP_SET', `0x4008700c') +define(`RTC_EPOCH_SET', `0x4008700e') +define(`PPS_SETPARAMS', `0x400870a2') +define(`PPS_KC_BIND', `0x400870a5') +define(`SPIOCSTYPE', `0x40087101') +define(`PHONE_CAPABILITIES_CHECK', `0x40087182') +define(`PHONE_RING_START', `0x40087187') +define(`IXJCTL_SET_FILTER', `0x400871c7') +define(`IXJCTL_INIT_TONE', `0x400871c9') +define(`IXJCTL_TONE_CADENCE', `0x400871ca') +define(`IXJCTL_FILTER_CADENCE', `0x400871d6') +define(`IXJCTL_CIDCW', `0x400871d9') +define(`IXJCTL_SET_FILTER_RAW', `0x400871dd') +define(`IXJCTL_SIGCTL', `0x400871e9') +define(`FS_IOC_SETVERSION', `0x40087602') +define(`ASHMEM_SET_SIZE', `0x40087703') +define(`ASHMEM_SET_PROT_MASK', `0x40087705') +define(`ASHMEM_PIN', `0x40087707') +define(`ASHMEM_UNPIN', `0x40087708') +define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413') +define(`BTRFS_IOC_WAIT_SYNC', `0x40089416') +define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a') +define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48') +define(`KVM_S390_VCPU_FAULT', `0x4008ae52') +define(`KVM_IRQ_LINE', `0x4008ae61') +define(`KVM_SET_GSI_ROUTING', `0x4008ae6a') +define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73') +define(`KVM_SET_MSRS', `0x4008ae89') +define(`KVM_SET_CPUID', `0x4008ae8a') +define(`KVM_SET_CPUID2', `0x4008ae90') +define(`KVM_SET_VAPIC_ADDR', `0x4008ae93') +define(`KVM_S390_STORE_STATUS', `0x4008ae95') +define(`KVM_X86_SETUP_MCE', `0x4008ae9c') +define(`VHOST_SET_FEATURES', `0x4008af00') +define(`VHOST_SET_MEM_TABLE', `0x4008af03') +define(`VHOST_SET_LOG_BASE', `0x4008af04') +define(`VHOST_SET_VRING_NUM', `0x4008af10') +define(`VHOST_SET_VRING_BASE', `0x4008af12') +define(`VHOST_SET_VRING_KICK', `0x4008af20') +define(`VHOST_SET_VRING_CALL', `0x4008af21') +define(`VHOST_SET_VRING_ERR', `0x4008af22') +define(`VHOST_NET_SET_BACKEND', `0x4008af30') +define(`PPPOEIOCSFWD', `0x4008b100') +define(`IOW_WRITE', `0x4008c001') +define(`IOW_READ', `0x4008c002') +define(`REISERFS_IOC_UNPACK', `0x4008cd01') +define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824') +define(`FDFMTTRK', `0x400c0248') +define(`RUN_ARRAY', `0x400c0930') +define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d') +define(`CAPI_REGISTER', `0x400c4301') +define(`HIDIOCGREPORT', `0x400c4807') +define(`HIDIOCSREPORT', `0x400c4808') +define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822') +define(`MFB_SET_CHROMA_KEY', `0x400c4d01') +define(`OTPGETREGIONINFO', `0x400c4d0f') +define(`UI_END_FF_ERASE', `0x400c55cb') +define(`CHIOPOSITION', `0x400c6303') +define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e') +define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f') +define(`DRM_IOCTL_I810_VERTEX', `0x400c6441') +define(`DRM_IOCTL_I810_CLEAR', `0x400c6442') +define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445') +define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447') +define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a') +define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455') +define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a') +define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f') +define(`I2OEVTREG', `0x400c690a') +define(`HSC_SET_RX', `0x400c6b13') +define(`HSC_GET_RX', `0x400c6b14') +define(`NCP_IOC_GETROOT', `0x400c6e08') +define(`UBI_IOCRSVOL', `0x400c6f02') +define(`AUDIO_SET_KARAOKE', `0x400c6f12') +define(`KVM_CREATE_SPAPR_TCE', `0x400caea8') +define(`MBXFB_IOCS_REG', `0x400cf404') +define(`FW_CDEV_IOC_START_ISO', `0x4010230a') +define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317') +define(`PTP_EXTTS_REQUEST', `0x40103d02') +define(`CCISS_SETNODENAME', `0x40104205') +define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821') +define(`MTRRIOC_ADD_ENTRY', `0x40104d00') +define(`MTRRIOC_SET_ENTRY', `0x40104d01') +define(`MTRRIOC_DEL_ENTRY', `0x40104d02') +define(`MTRRIOC_KILL_ENTRY', `0x40104d04') +define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05') +define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06') +define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07') +define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09') +define(`MEMERASE64', `0x40104d14') +define(`UBI_IOCSETVOLPROP', `0x40104f06') +define(`OMAPFB_SET_COLOR_KEY', `0x40104f32') +define(`OMAPFB_GET_COLOR_KEY', `0x40104f33') +define(`TUNATTACHFILTER', `0x401054d5') +define(`TUNDETACHFILTER', `0x401054d6') +define(`ANDROID_ALARM_SET_RTC', `0x40106105') +define(`IDT77105_GETSTAT', `0x40106132') +define(`IDT77105_GETSTATZ', `0x40106133') +define(`ATM_GETSTAT', `0x40106150') +define(`ATM_GETSTATZ', `0x40106151') +define(`ATM_GETLOOP', `0x40106152') +define(`ATM_SETLOOP', `0x40106153') +define(`ATM_QUERYLOOP', `0x40106154') +define(`ENI_MEMDUMP', `0x40106160') +define(`HE_GET_REG', `0x40106160') +define(`ZATM_GETPOOL', `0x40106161') +define(`NS_SETBUFLEV', `0x40106162') +define(`ZATM_GETPOOLZ', `0x40106162') +define(`ZATM_SETPOOL', `0x40106163') +define(`ENI_SETMULT', `0x40106167') +define(`ATM_GETLINKRATE', `0x40106181') +define(`ATM_GETNAMES', `0x40106183') +define(`ATM_GETTYPE', `0x40106184') +define(`ATM_GETESI', `0x40106185') +define(`ATM_GETADDR', `0x40106186') +define(`ATM_RSTADDR', `0x40106187') +define(`ATM_ADDADDR', `0x40106188') +define(`ATM_DELADDR', `0x40106189') +define(`ATM_GETCIRANGE', `0x4010618a') +define(`ATM_SETCIRANGE', `0x4010618b') +define(`ATM_SETESI', `0x4010618c') +define(`ATM_SETESIF', `0x4010618d') +define(`ATM_ADDLECSADDR', `0x4010618e') +define(`ATM_DELLECSADDR', `0x4010618f') +define(`ATM_GETLECSADDR', `0x40106190') +define(`ATM_ADDPARTY', `0x401061f4') +define(`BC_INCREFS_DONE', `0x40106308') +define(`CHIOGSTATUS', `0x40106308') +define(`BC_ACQUIRE_DONE', `0x40106309') +define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d') +define(`DRM_IOCTL_SET_UNIQUE', `0x40106410') +define(`DRM_IOCTL_FREE_BUFS', `0x4010641a') +define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c') +define(`DRM_IOCTL_AGP_BIND', `0x40106436') +define(`DRM_IOCTL_AGP_UNBIND', `0x40106437') +define(`DRM_IOCTL_SG_FREE', `0x40106439') +define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441') +define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442') +define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445') +define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445') +define(`DRM_IOCTL_MGA_INDICES', `0x40106446') +define(`DRM_IOCTL_I810_COPY', `0x40106447') +define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448') +define(`DRM_IOCTL_R128_VERTEX', `0x40106449') +define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449') +define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a') +define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451') +define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453') +define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456') +define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459') +define(`TUNER_SET_CONFIG', `0x4010645c') +define(`HSC_SET_TX', `0x40106b15') +define(`HSC_GET_TX', `0x40106b16') +define(`MGSL_IOCSGPIO', `0x40106d10') +define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80') +define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c') +define(`VIDEO_STILLPICTURE', `0x40106f1e') +define(`VIDEO_SET_HIGHLIGHT', `0x40106f27') +define(`VIDEO_SET_SPU_PALETTE', `0x40106f33') +define(`FE_SET_PROPERTY', `0x40106f52') +define(`CA_SET_DESCR', `0x40106f86') +define(`PPSETTIME', `0x40107096') +define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a') +define(`GENWQE_WRITE_REG64', `0x4010a51f') +define(`GENWQE_WRITE_REG32', `0x4010a521') +define(`GENWQE_WRITE_REG16', `0x4010a523') +define(`KVM_GET_DIRTY_LOG', `0x4010ae42') +define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67') +define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68') +define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74') +define(`KVM_S390_INTERRUPT', `0x4010ae94') +define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96') +define(`KVM_DIRTY_TLB', `0x4010aeaa') +define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab') +define(`KVM_GET_ONE_REG', `0x4010aeab') +define(`KVM_SET_ONE_REG', `0x4010aeac') +define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823') +define(`FDSETMAXERRS', `0x4014024c') +define(`ADD_NEW_DISK', `0x40140921') +define(`SNDCTL_COPR_WDATA', `0x40144304') +define(`SNDCTL_COPR_WCODE', `0x40144305') +define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f') +define(`VIDIOC_S_CROP', `0x4014563c') +define(`CHIOMOVE', `0x40146301') +define(`DRM_IOCTL_MGA_CLEAR', `0x40146444') +define(`DRM_IOCTL_R128_CLEAR', `0x40146448') +define(`DRM_IOCTL_R128_INDICES', `0x4014644a') +define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a') +define(`DMX_SET_PES_FILTER', `0x40146f2c') +define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304') +define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f') +define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310') +define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150') +define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152') +define(`HIDIOCSUSAGE', `0x4018480c') +define(`HIDIOCGCOLLECTIONINDEX', `0x40184810') +define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07') +define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0') +define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f') +define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443') +define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444') +define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447') +define(`DRM_IOCTL_R128_BLIT', `0x4018644b') +define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d') +define(`UBI_IOCATT', `0x40186f40') +define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429') +define(`KVM_SET_MEMORY_REGION', `0x4018ae40') +define(`KVM_S390_UCAS_MAP', `0x4018ae50') +define(`KVM_S390_UCAS_UNMAP', `0x4018ae51') +define(`KVM_SET_DEVICE_ATTR', `0x4018aee1') +define(`KVM_GET_DEVICE_ATTR', `0x4018aee2') +define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3') +define(`MBXFB_IOCS_ALPHA', `0x4018f402') +define(`BR2684_SETFILT', `0x401c6190') +define(`CHIOEXCHANGE', `0x401c6302') +define(`FDSETPRM', `0x40200242') +define(`FDDEFPRM', `0x40200243') +define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1') +define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2') +define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04') +define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a') +define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b') +define(`DRM_IOCTL_MARK_BUFS', `0x40206417') +define(`DRM_IOCTL_AGP_FREE', `0x40206435') +define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441') +define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443') +define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445') +define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448') +define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b') +define(`DRM_IOCTL_I810_MC', `0x4020644c') +define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450') +define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455') +define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c') +define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d') +define(`OSD_SEND_CMD', `0x40206fa0') +define(`RTC_PLL_SET', `0x40207012') +define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d') +define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43') +define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46') +define(`KVM_IRQFD', `0x4020ae76') +define(`KVM_SIGNAL_MSI', `0x4020aea5') +define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa') +define(`KVM_ARM_VCPU_INIT', `0x4020aeae') +define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314') +define(`JSIOCSCORR', `0x40246a21') +define(`FE_SET_FRONTEND', `0x40246f4c') +define(`RTC_ALM_SET', `0x40247007') +define(`RTC_SET_TIME', `0x4024700a') +define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301') +define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312') +define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313') +define(`EVIOCSKEYCODE_V2', `0x40284504') +define(`SNDCTL_FM_LOAD_INSTR', `0x40285107') +define(`DRM_IOCTL_RM_MAP', `0x4028641b') +define(`DRM_IOCTL_R128_DEPTH', `0x4028644c') +define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f') +define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454') +define(`PHN_SETREGS', `0x40287008') +define(`RTC_WKALM_SET', `0x4028700f') +define(`VHOST_SET_VRING_ADDR', `0x4028af11') +define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342') +define(`TCSETS2', `0x402c542b') +define(`TCSETSW2', `0x402c542c') +define(`TCSETSF2', `0x402c542d') +define(`VIDIOC_S_FREQUENCY', `0x402c5639') +define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467') +define(`EVIOCSFF', `0x40304580') +define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42') +define(`VIDIOC_S_FBUF', `0x4030560b') +define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652') +define(`CHIOSVOLTAG', `0x40306312') +define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e') +define(`MGSL_IOCSPARAMS', `0x40306d00') +define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410') +define(`BTRFS_IOC_SET_FEATURES', `0x40309439') +define(`KVM_SET_CLOCK', `0x4030ae7b') +define(`GSMIOC_ENABLE_NET', `0x40344702') +define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410') +define(`VIDIOC_S_AUDIO', `0x40345622') +define(`VIDIOC_S_AUDOUT', `0x40345632') +define(`DRM_IOCTL_MGA_BLIT', `0x40346448') +define(`PTP_PEROUT_REQUEST', `0x40383d03') +define(`VIDIOC_DBG_S_REGISTER', `0x4038564f') +define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441') +define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a') +define(`DMX_SET_FILTER', `0x403c6f2b') +define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e') +define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514') +define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515') +define(`IVTV_IOC_DMA_FRAME', `0x404056c0') +define(`BC_TRANSACTION', `0x40406300') +define(`BC_REPLY', `0x40406301') +define(`DRM_IOCTL_I810_INIT', `0x40406440') +define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469') +define(`JSIOCSAXMAP', `0x40406a31') +define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c') +define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70') +define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72') +define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75') +define(`KVM_CREATE_PIT2', `0x4040ae77') +define(`KVM_IOEVENTFD', `0x4040ae79') +define(`KVM_X86_SET_MCE', `0x4040ae9e') +define(`KVM_SET_VCPU_EVENTS', `0x4040aea0') +define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4') +define(`CXL_IOCTL_START_WORK', `0x4040ca00') +define(`OMAPFB_SETUP_PLANE', `0x40444f34') +define(`OMAPFB_QUERY_PLANE', `0x40444f35') +define(`OMAPFB_UPDATE_WINDOW', `0x40444f36') +define(`VIDIOC_S_MODULATOR', `0x40445637') +define(`DRM_IOCTL_I915_INIT', `0x40446440') +define(`SET_ARRAY_INFO', `0x40480923') +define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830') +define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404') +define(`BTRFS_IOC_SEND', `0x40489426') +define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b') +define(`GSMIOC_SETCONF', `0x404c4701') +define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a') +define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330') +define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331') +define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412') +define(`VIDIOC_S_TUNER', `0x4054561e') +define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c') +define(`PTP_PIN_SETFUNC', `0x40603d07') +define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803') +define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346') +define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440') +define(`UI_END_FF_UPLOAD', `0x406855c9') +define(`KVM_ENABLE_CAP', `0x4068aea3') +define(`CHIOGELEM', `0x406c6310') +define(`KVM_SET_PIT2', `0x4070aea0') +define(`DRM_IOCTL_R128_INIT', `0x40786440') +define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440') +define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88') +define(`FDSETDRVPRM', `0x40800290') +define(`UBI_IOCVOLCRBLK', `0x40804f07') +define(`DRM_IOCTL_MGA_INIT', `0x40806440') +define(`KVM_PPC_GET_PVINFO', `0x4080aea1') +define(`KVM_SET_DEBUGREGS', `0x4080aea2') +define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac') +define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312') +define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333') +define(`VIDIOC_S_JPEGCOMP', `0x408c563e') +define(`KVM_SET_REGS', `0x4090ae82') +define(`UBI_IOCMKVOL', `0x40986f00') +define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321') +define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323') +define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311') +define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40') +define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41') +define(`ASHMEM_SET_NAME', `0x41007701') +define(`BTRFS_IOC_SET_FSLABEL', `0x41009432') +define(`USBDEVFS_GETDRIVER', `0x41045508') +define(`CA_SEND_MSG', `0x410c6f85') +define(`KVM_SET_SREGS', `0x4138ae84') +define(`KVM_SET_XCRS', `0x4188aea7') +define(`KVM_SET_FPU', `0x41a0ae8d') +define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811') +define(`PTP_SYS_OFFSET', `0x43403d05') +define(`JSIOCSBTNMAP', `0x44006a33') +define(`KVM_SET_LAPIC', `0x4400ae8f') +define(`BTRFS_IOC_SNAP_CREATE', `0x50009401') +define(`BTRFS_IOC_DEFRAG', `0x50009402') +define(`BTRFS_IOC_RESIZE', `0x50009403') +define(`BTRFS_IOC_SCAN_DEV', `0x50009404') +define(`BTRFS_IOC_ADD_DEV', `0x5000940a') +define(`BTRFS_IOC_RM_DEV', `0x5000940b') +define(`BTRFS_IOC_BALANCE', `0x5000940c') +define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e') +define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f') +define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417') +define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418') +define(`KVM_SET_XSAVE', `0x5000aea5') +define(`HIDIOCSUSAGES', `0x501c4814') +define(`UBI_IOCRNVOL', `0x51106f03') +define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811') +define(`MFB_GET_ALPHA', `0x80014d00') +define(`MFB_GET_GAMMA', `0x80014d01') +define(`GADGET_GET_PRINTER_STATUS', `0x80016721') +define(`JSIOCGAXES', `0x80016a11') +define(`JSIOCGBUTTONS', `0x80016a12') +define(`SPI_IOC_RD_MODE', `0x80016b01') +define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02') +define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03') +define(`PPRSTATUS', `0x80017081') +define(`PPRCONTROL', `0x80017083') +define(`PPRDATA', `0x80017085') +define(`SONYPI_IOCGBRT', `0x80017600') +define(`SONYPI_IOCGBATFLAGS', `0x80017607') +define(`SONYPI_IOCGBLUE', `0x80017608') +define(`SONYPI_IOCGFAN', `0x8001760a') +define(`SONYPI_IOCGTEMP', `0x8001760c') +define(`CAPI_GET_ERRCODE', `0x80024321') +define(`CAPI_INSTALLED', `0x80024322') +define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820') +define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0') +define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e') +define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f') +define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47') +define(`FE_READ_SNR', `0x80026f48') +define(`SONYPI_IOCGBAT1CAP', `0x80027602') +define(`SONYPI_IOCGBAT1REM', `0x80027603') +define(`SONYPI_IOCGBAT2CAP', `0x80027604') +define(`SONYPI_IOCGBAT2REM', `0x80027605') +define(`MBXFB_IOCS_PLANEORDER', `0x8002f403') +define(`BLKI2OGRSTRAT', `0x80043201') +define(`BLKI2OGWSTRAT', `0x80043202') +define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100') +define(`CCISS_GETHEARTBEAT', `0x80044206') +define(`CCISS_GETBUSTYPES', `0x80044207') +define(`CCISS_GETFIRMVER', `0x80044208') +define(`CCISS_GETDRIVVER', `0x80044209') +define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300') +define(`CAPI_GET_FLAGS', `0x80044323') +define(`CAPI_SET_FLAGS', `0x80044324') +define(`CAPI_CLR_FLAGS', `0x80044325') +define(`CAPI_NCCI_OPENCOUNT', `0x80044326') +define(`CAPI_NCCI_GETUNIT', `0x80044327') +define(`EVIOCGVERSION', `0x80044501') +define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502') +define(`EVIOCGEFFECTS', `0x80044584') +define(`FBIOGET_CONTRAST', `0x80044601') +define(`FBIGET_BRIGHTNESS', `0x80044603') +define(`FBIGET_COLOR', `0x80044605') +define(`SSTFB_GET_VGAPASS', `0x800446dd') +define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800') +define(`HIDIOCGRDESCSIZE', `0x80044801') +define(`HIDIOCGVERSION', `0x80044801') +define(`HIDIOCGFLAG', `0x8004480e') +define(`HDA_IOCTL_PVERSION', `0x80044810') +define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840') +define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880') +define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884') +define(`HCIGETDEVLIST', `0x800448d2') +define(`HCIGETDEVINFO', `0x800448d3') +define(`HCIGETCONNLIST', `0x800448d4') +define(`HCIGETCONNINFO', `0x800448d5') +define(`HCIGETAUTHINFO', `0x800448d7') +define(`HCIINQUIRY', `0x800448f0') +define(`ROCCATIOCGREPSIZE', `0x800448f1') +define(`IMADDTIMER', `0x80044940') +define(`IMDELTIMER', `0x80044941') +define(`IMGETVERSION', `0x80044942') +define(`IMGETCOUNT', `0x80044943') +define(`IMGETDEVINFO', `0x80044944') +define(`IMCTRLREQ', `0x80044945') +define(`IMCLEAR_L2', `0x80044946') +define(`IMHOLD_L1', `0x80044948') +define(`MCE_GET_RECORD_LEN', `0x80044d01') +define(`MCE_GET_LOG_LEN', `0x80044d02') +define(`MCE_GETCLEAR_FLAGS', `0x80044d03') +define(`MEMGETREGIONCOUNT', `0x80044d07') +define(`MFB_GET_PIXFMT', `0x80044d08') +define(`OTPSELECT', `0x80044d0d') +define(`OSS_GETVERSION', `0x80044d76') +define(`UBI_IOCEBISMAP', `0x80044f05') +define(`SOUND_PCM_READ_RATE', `0x80045002') +define(`SOUND_PCM_READ_BITS', `0x80045005') +define(`SOUND_PCM_READ_CHANNELS', `0x80045006') +define(`SOUND_PCM_READ_FILTER', `0x80045007') +define(`SNDCTL_DSP_GETFMTS', `0x8004500b') +define(`SNDCTL_DSP_GETCAPS', `0x8004500f') +define(`SNDCTL_DSP_GETTRIGGER', `0x80045010') +define(`SNDCTL_DSP_GETODELAY', `0x80045017') +define(`SNDCTL_DSP_GETSPDIF', `0x80045043') +define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104') +define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105') +define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a') +define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b') +define(`SNDCTL_SEQ_GETTIME', `0x80045113') +define(`RNDGETENTCNT', `0x80045200') +define(`SAA6588_CMD_READ', `0x80045203') +define(`SAA6588_CMD_POLL', `0x80045204') +define(`RFCOMMGETDEVLIST', `0x800452d2') +define(`RFCOMMGETDEVINFO', `0x800452d3') +define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300') +define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301') +define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400') +define(`TIOCGPTN', `0x80045430') +define(`TIOCGDEV', `0x80045432') +define(`TIOCGPKT', `0x80045438') +define(`TIOCGPTLCK', `0x80045439') +define(`TIOCGEXCL', `0x80045440') +define(`TUNGETFEATURES', `0x800454cf') +define(`TUNGETIFF', `0x800454d2') +define(`TUNGETSNDBUF', `0x800454d3') +define(`TUNGETVNETHDRSZ', `0x800454d7') +define(`TUNGETVNETLE', `0x800454dd') +define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500') +define(`USBDEVFS_RESETEP', `0x80045503') +define(`USBDEVFS_SETCONFIGURATION', `0x80045505') +define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f') +define(`USBDEVFS_RELEASEINTERFACE', `0x80045510') +define(`USBDEVFS_CLEAR_HALT', `0x80045515') +define(`USBDEVFS_CLAIM_PORT', `0x80045518') +define(`USBDEVFS_RELEASE_PORT', `0x80045519') +define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a') +define(`UI_GET_VERSION', `0x8004552d') +define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530') +define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1') +define(`VIDIOC_G_INPUT', `0x80045626') +define(`VIDIOC_G_OUTPUT', `0x8004562e') +define(`VIDIOC_G_PRIORITY', `0x80045643') +define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700') +define(`WDIOC_GETSTATUS', `0x80045701') +define(`WDIOC_GETBOOTSTATUS', `0x80045702') +define(`WDIOC_GETTEMP', `0x80045703') +define(`WDIOC_SETOPTIONS', `0x80045704') +define(`WDIOC_KEEPALIVE', `0x80045705') +define(`WDIOC_GETTIMEOUT', `0x80045707') +define(`WDIOC_GETPRETIMEOUT', `0x80045709') +define(`WDIOC_GETTIMELEFT', `0x8004570a') +define(`SONET_GETDIAG', `0x80046114') +define(`SONET_GETFRAMING', `0x80046116') +define(`CHIOGPICKER', `0x80046304') +define(`DRM_IOCTL_GET_MAGIC', `0x80046402') +define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e') +define(`FS_IOC32_GETFLAGS', `0x80046601') +define(`LIRC_GET_FEATURES', `0x80046900') +define(`LIRC_GET_SEND_MODE', `0x80046901') +define(`LIRC_GET_REC_MODE', `0x80046902') +define(`LIRC_GET_SEND_CARRIER', `0x80046903') +define(`LIRC_GET_REC_CARRIER', `0x80046904') +define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905') +define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906') +define(`LIRC_GET_REC_RESOLUTION', `0x80046907') +define(`I2OVALIDATE', `0x80046908') +define(`LIRC_GET_MIN_TIMEOUT', `0x80046908') +define(`LIRC_GET_MAX_TIMEOUT', `0x80046909') +define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a') +define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b') +define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c') +define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d') +define(`LIRC_GET_LENGTH', `0x8004690f') +define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910') +define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911') +define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912') +define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913') +define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914') +define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918') +define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919') +define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a') +define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b') +define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e') +define(`I8K_BIOS_VERSION', `0x80046980') +define(`I8K_MACHINE_ID', `0x80046981') +define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990') +define(`JSIOCGVERSION', `0x80046a01') +define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04') +define(`SPI_IOC_RD_MODE32', `0x80046b05') +define(`UDF_GETEASIZE', `0x80046c40') +define(`NCP_IOC_SIGN_WANTED', `0x80046e06') +define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c') +define(`SISFB_GET_INFO_OLD', `0x80046ef8') +define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9') +define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa') +define(`AUDIO_GET_CAPABILITIES', `0x80046f0b') +define(`VIDEO_GET_CAPABILITIES', `0x80046f21') +define(`VIDEO_GET_FRAME_RATE', `0x80046f38') +define(`FE_READ_STATUS', `0x80046f45') +define(`FE_READ_BER', `0x80046f46') +define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49') +define(`RTC_VL_READ', `0x80047013') +define(`PPCLRIRQ', `0x80047093') +define(`PPGETMODES', `0x80047097') +define(`PPGETMODE', `0x80047098') +define(`PPGETPHASE', `0x80047099') +define(`PPGETFLAGS', `0x8004709a') +define(`PHONE_DTMF_READY', `0x80047196') +define(`PHONE_GET_DTMF', `0x80047197') +define(`PHONE_GET_DTMF_ASCII', `0x80047198') +define(`PHONE_EXCEPTION', `0x8004719a') +define(`IXJCTL_CARDTYPE', `0x800471c1') +define(`IXJCTL_SERIAL', `0x800471c2') +define(`IXJCTL_DSP_TYPE', `0x800471c3') +define(`IXJCTL_DSP_VERSION', `0x800471c4') +define(`IXJCTL_VMWI', `0x800471d8') +define(`BR_ERROR', `0x80047200') +define(`BR_ACQUIRE_RESULT', `0x80047204') +define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210') +define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213') +define(`FS_IOC32_GETVERSION', `0x80047601') +define(`MEYEIOC_STILLJCAPT', `0x800476c5') +define(`OSIOCGNETADDR', `0x800489e1') +define(`SIOCGNETADDR', `0x800489e1') +define(`AUTOFS_IOC_PROTOVER', `0x80049363') +define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367') +define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370') +define(`GENWQE_GET_CARD_STATE', `0x8004a524') +define(`KVM_GET_MP_STATE', `0x8004ae98') +define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01') +define(`SISFB_GET_INFO_SIZE', `0x8004f300') +define(`SISFB_GET_VBRSTATUS', `0x8004f302') +define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303') +define(`SISFB_GET_TVPOSOFFSET', `0x8004f304') +define(`SONET_GETFRSENSE', `0x80066117') +define(`MEYEIOC_G_PARAMS', `0x800676c0') +define(`BLKBSZGET', `0x80081270') +define(`BLKGETSIZE64', `0x80081272') +define(`PERF_EVENT_IOC_ID', `0x80082407') +define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e') +define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313') +define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314') +define(`FBIO_RADEON_GET_MIRROR', `0x80084003') +define(`AGPIOC_INFO', `0x80084100') +define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121') +define(`CCISS_GETPCIINFO', `0x80084201') +define(`PMU_IOC_GET_BACKLIGHT', `0x80084201') +define(`CCISS_GETINTINFO', `0x80084202') +define(`PMU_IOC_GET_MODEL', `0x80084203') +define(`PMU_IOC_HAS_ADB', `0x80084204') +define(`PMU_IOC_CAN_SLEEP', `0x80084205') +define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206') +define(`EVIOCGID', `0x80084502') +define(`EVIOCGREP', `0x80084503') +define(`EVIOCGKEYCODE', `0x80084504') +define(`FBIO_GETCONTROL2', `0x80084689') +define(`HIDIOCGRAWINFO', `0x80084803') +define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843') +define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844') +define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845') +define(`AMDKFD_IOC_GET_VERSION', `0x80084b01') +define(`MFB_GET_AOID', `0x80084d04') +define(`MEMISLOCKED', `0x80084d17') +define(`RNDGETPOOL', `0x80085202') +define(`USBDEVFS_SETINTERFACE', `0x80085504') +define(`USBDEVFS_DISCSIGNAL32', `0x8008550e') +define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c') +define(`USBDEVFS_FREE_STREAMS', `0x8008551d') +define(`VIDIOC_G_STD', `0x80085617') +define(`VIDIOC_QUERYSTD', `0x8008563f') +define(`CM_IOCGSTATUS', `0x80086300') +define(`DRM_IOCTL_I810_OV0INFO', `0x80086449') +define(`FS_IOC_GETFLAGS', `0x80086601') +define(`I2OPASSTHRU32', `0x8008690c') +define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916') +define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917') +define(`I8K_POWER_STATUS', `0x80086982') +define(`I8K_FN_STATUS', `0x80086983') +define(`I8K_GET_TEMP', `0x80086984') +define(`UDF_GETEABLOCK', `0x80086c41') +define(`UDF_GETVOLIDENT', `0x80086c42') +define(`MMTIMER_GETRES', `0x80086d01') +define(`MMTIMER_GETFREQ', `0x80086d02') +define(`MTIOCPOS', `0x80086d03') +define(`MMTIMER_GETCOUNTER', `0x80086d09') +define(`NILFS_IOCTL_SYNC', `0x80086e8a') +define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8') +define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9') +define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb') +define(`AUDIO_GET_PTS', `0x80086f13') +define(`DMX_GET_CAPS', `0x80086f30') +define(`VIDEO_GET_PTS', `0x80086f39') +define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a') +define(`CA_GET_DESCR_INFO', `0x80086f83') +define(`RTC_IRQP_READ', `0x8008700b') +define(`RTC_EPOCH_READ', `0x8008700d') +define(`PPS_GETPARAMS', `0x800870a1') +define(`PPS_GETCAP', `0x800870a3') +define(`PHONE_CAPABILITIES_LIST', `0x80087181') +define(`IXJCTL_CID', `0x800871d4') +define(`IXJCTL_VERSION', `0x800871da') +define(`IXJCTL_FRAMES_READ', `0x800871e2') +define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3') +define(`IXJCTL_READ_WAIT', `0x800871e4') +define(`IXJCTL_WRITE_WAIT', `0x800871e5') +define(`IXJCTL_DRYBUFFER_READ', `0x800871e6') +define(`BR_DEAD_BINDER', `0x8008720f') +define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210') +define(`FS_IOC_GETVERSION', `0x80087601') +define(`BTRFS_IOC_START_SYNC', `0x80089418') +define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419') +define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d') +define(`KVM_ALLOCATE_RMA', `0x8008aea9') +define(`VHOST_GET_FEATURES', `0x8008af00') +define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782') +define(`DMX_GET_PES_PIDS', `0x800a6f2f') +define(`RAID_VERSION', `0x800c0910') +define(`CCISS_GETLUNINFO', `0x800c4211') +define(`OTPLOCK', `0x800c4d10') +define(`OMAPFB_GET_CAPS', `0x800c4f2a') +define(`SNDCTL_DSP_GETIPTR', `0x800c5011') +define(`SNDCTL_DSP_GETOPTR', `0x800c5012') +define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c') +define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d') +define(`NCP_IOC_SETROOT', `0x800c6e08') +define(`VIDEO_GET_SIZE', `0x800c6f37') +define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40') +define(`CA_GET_SLOT_INFO', `0x800c6f82') +define(`FDGETDRVTYP', `0x8010020f') +define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c') +define(`CCISS_GETNODENAME', `0x80104204') +define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846') +define(`ECCGETSTATS', `0x80104d12') +define(`SNDCTL_DSP_GETOSPACE', `0x8010500c') +define(`SNDCTL_DSP_GETISPACE', `0x8010500d') +define(`SNDCTL_DSP_MAPINBUF', `0x80105013') +define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014') +define(`TUNGETFILTER', `0x801054db') +define(`USBDEVFS_DISCSIGNAL', `0x8010550e') +define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463') +define(`I2OPASSTHRU', `0x8010690c') +define(`MGSL_IOCGGPIO', `0x80106d11') +define(`NCP_IOC_NCPREQUEST', `0x80106e01') +define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a') +define(`FE_GET_PROPERTY', `0x80106f53') +define(`CA_GET_CAP', `0x80106f81') +define(`OSD_GET_CAPABILITY', `0x80106fa1') +define(`PPGETTIME', `0x80107095') +define(`BR_INCREFS', `0x80107207') +define(`BR_ACQUIRE', `0x80107208') +define(`BR_RELEASE', `0x80107209') +define(`BR_DECREFS', `0x8010720a') +define(`GENWQE_READ_REG64', `0x8010a51e') +define(`GENWQE_READ_REG32', `0x8010a520') +define(`GENWQE_READ_REG16', `0x8010a522') +define(`FDGETMAXERRS', `0x8014020e') +define(`GET_DISK_INFO', `0x80140912') +define(`SNDRV_COMPRESS_TSTAMP', `0x80144320') +define(`CHIOGPARAMS', `0x80146306') +define(`NCP_IOC_LOCKUNLOCK', `0x80146e07') +define(`VIDEO_GET_STATUS', `0x80146f1b') +define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132') +define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151') +define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153') +define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841') +define(`IMSETDEVNAME', `0x80184947') +define(`OMAPFB_MEMORY_READ', `0x80184f3a') +define(`HPET_INFO', `0x80186803') +define(`NCP_IOC_SIGN_INIT', `0x80186e05') +define(`NCP_IOC_SETOBJECTNAME', `0x80186e09') +define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82') +define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83') +define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84') +define(`BR_ATTEMPT_ACQUIRE', `0x8018720b') +define(`BTRFS_IOC_GET_FEATURES', `0x80189439') +define(`MBXFB_IOCG_ALPHA', `0x8018f401') +define(`SNDRV_COMPRESS_AVAIL', `0x801c4321') +define(`HIDIOCGDEVINFO', `0x801c4803') +define(`FDGETPRM', `0x80200204') +define(`FBIOGET_VBLANK', `0x80204612') +define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847') +define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8') +define(`MEMGETINFO', `0x80204d01') +define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d') +define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f') +define(`I2OGETIOPS', `0x80206900') +define(`AUDIO_GET_STATUS', `0x80206f0a') +define(`VIDEO_GET_EVENT', `0x80206f1c') +define(`RTC_PLL_GET', `0x80207011') +define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf') +define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841') +define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848') +define(`SONET_GETSTAT', `0x80246110') +define(`SONET_GETSTATZ', `0x80246111') +define(`JSIOCGCORR', `0x80246a22') +define(`FE_GET_FRONTEND', `0x80246f4d') +define(`RTC_ALM_READ', `0x80247008') +define(`RTC_RD_TIME', `0x80247009') +define(`FDGETFDCSTAT', `0x80280215') +define(`FDWERRORGET', `0x80280217') +define(`EVIOCGKEYCODE_V2', `0x80284504') +define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810') +define(`WDIOC_GETSUPPORT', `0x80285700') +define(`IPMICTL_SEND_COMMAND', `0x8028690d') +define(`FE_GET_EVENT', `0x80286f4e') +define(`RTC_WKALM_RD', `0x80287010') +define(`IOW_GETINFO', `0x8028c003') +define(`USBDEVFS_SUBMITURB32', `0x802a550a') +define(`NCP_IOC_SETCHARSETS', `0x802a6e0b') +define(`TCGETS2', `0x802c542a') +define(`SOUND_OLD_MIXER_INFO', `0x80304d65') +define(`VIDIOC_G_FBUF', `0x8030560a') +define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915') +define(`MGSL_IOCGPARAMS', `0x80306d01') +define(`MTIOCGET', `0x80306d02') +define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85') +define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b') +define(`KVM_GET_CLOCK', `0x8030ae7c') +define(`VIDIOC_G_AUDIO', `0x80345621') +define(`VIDIOC_G_AUDOUT', `0x80345631') +define(`USBDEVFS_SUBMITURB', `0x8038550a') +define(`DRM_IOCTL_AGP_INFO', `0x80386433') +define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b') +define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802') +define(`JSIOCGAXMAP', `0x80406a32') +define(`BR_TRANSACTION', `0x80407202') +define(`BR_REPLY', `0x80407203') +define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d') +define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69') +define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f') +define(`GET_ARRAY_INFO', `0x80480911') +define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439') +define(`KVM_SET_PIT', `0x8048ae66') +define(`GSMIOC_GETCONF', `0x804c4700') +define(`FDGETDRVSTAT', `0x80500212') +define(`FDPOLLDRVSTAT', `0x80500213') +define(`PTP_CLOCK_GETCAPS', `0x80503d01') +define(`SOUND_MIXER_INFO', `0x805c4d65') +define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414') +define(`VIDIOC_QUERYCAP', `0x80685600') +define(`I2OEVTGET', `0x8068690b') +define(`CHIOGVPARAMS', `0x80706313') +define(`KVM_GET_PIT2', `0x8070ae9f') +define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313') +define(`FDGETDRVPRM', `0x80800211') +define(`USBDEVFS_HUB_PORTINFO', `0x80805513') +define(`KVM_GET_DEBUGREGS', `0x8080aea1') +define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663') +define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663') +define(`VIDIOC_DQEVENT', `0x80885659') +define(`VIDIOC_G_JPEGCOMP', `0x808c563d') +define(`KVM_GET_REGS', `0x8090ae81') +define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120') +define(`FE_GET_INFO', `0x80a86f3d') +define(`MEMGETOOBSEL', `0x80c84d0a') +define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801') +define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521') +define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411') +define(`DRM_IOCTL_GET_STATS', `0x80f86406') +define(`ASHMEM_GET_NAME', `0x81007702') +define(`BTRFS_IOC_GET_FSLABEL', `0x81009431') +define(`HIDIOCGSTRING', `0x81044804') +define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b') +define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701') +define(`CA_GET_MSG', `0x810c6f84') +define(`AUTOFS_IOC_EXPIRE', `0x810c9365') +define(`SISFB_GET_INFO', `0x811cf301') +define(`SNDRV_PCM_IOCTL_INFO', `0x81204101') +define(`KVM_GET_SREGS', `0x8138ae83') +define(`ECCGETLAYOUT', `0x81484d11') +define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501') +define(`KVM_GET_XCRS', `0x8188aea6') +define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06') +define(`KVM_GET_FPU', `0x81a0ae8c') +define(`KVM_SET_IRQCHIP', `0x8208ae63') +define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201') +define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202') +define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6') +define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840') +define(`JSIOCGBTNMAP', `0x84006a34') +define(`BTRFS_IOC_FS_INFO', `0x8400941f') +define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422') +define(`KVM_GET_LAPIC', `0x8400ae8e') +define(`VIDEO_GET_NAVI', `0x84046f34') +define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810') +define(`VIDIOC_G_ENC_INDEX', `0x8818564c') +define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842') +define(`SNDCTL_COPR_RCVMSG', `0x8fa44309') +define(`GET_BITMAP_FILE', `0x90000915') +define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844') +define(`BTRFS_IOC_DEVICES_READY', `0x90009427') +define(`KVM_GET_XSAVE', `0x9000aea4') +define(`HIDIOCGRDESC', `0x90044802') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343') +define(`GADGET_SET_PRINTER_STATUS', `0xc0016722') +define(`CAPI_GET_MANUFACTURER', `0xc0044306') +define(`CAPI_GET_SERIAL', `0xc0044308') +define(`GIGASET_REDIR', `0xc0044700') +define(`GIGASET_CONFIG', `0xc0044701') +define(`ION_IOC_FREE', `0xc0044901') +define(`SOUND_MIXER_AGC', `0xc0044d67') +define(`SOUND_MIXER_3DSE', `0xc0044d68') +define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f') +define(`SOUND_MIXER_PRIVATE2', `0xc0044d70') +define(`SOUND_MIXER_PRIVATE3', `0xc0044d71') +define(`SOUND_MIXER_PRIVATE4', `0xc0044d72') +define(`SOUND_MIXER_PRIVATE5', `0xc0044d73') +define(`SNDCTL_DSP_SPEED', `0xc0045002') +define(`SNDCTL_DSP_STEREO', `0xc0045003') +define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004') +define(`SNDCTL_DSP_SETFMT', `0xc0045005') +define(`SNDCTL_DSP_CHANNELS', `0xc0045006') +define(`SOUND_PCM_WRITE_FILTER', `0xc0045007') +define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009') +define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a') +define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040') +define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041') +define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103') +define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e') +define(`SNDCTL_TMR_TIMEBASE', `0xc0045401') +define(`SNDCTL_TMR_TEMPO', `0xc0045405') +define(`SNDCTL_TMR_SOURCE', `0xc0045406') +define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516') +define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520') +define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540') +define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0') +define(`VIDIOC_S_INPUT', `0xc0045627') +define(`VIDIOC_S_OUTPUT', `0xc004562f') +define(`WDIOC_SETTIMEOUT', `0xc0045706') +define(`WDIOC_SETPRETIMEOUT', `0xc0045708') +define(`FIFREEZE', `0xc0045877') +define(`FITHAW', `0xc0045878') +define(`SONET_SETDIAG', `0xc0046112') +define(`SONET_CLRDIAG', `0xc0046113') +define(`BINDER_VERSION', `0xc0046209') +define(`DRM_IOCTL_BLOCK', `0xc0046412') +define(`DRM_IOCTL_UNBLOCK', `0xc0046413') +define(`DRM_IOCTL_ADD_DRAW', `0xc0046427') +define(`DRM_IOCTL_RM_DRAW', `0xc0046428') +define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b') +define(`DRM_IOCTL_MODE_RMFB', `0xc00464af') +define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4') +define(`SNDCTL_MIDI_PRETIME', `0xc0046d00') +define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01') +define(`MGSL_IOCWAITEVENT', `0xc0046d08') +define(`TOSH_SMM', `0xc0047490') +define(`MEYEIOC_SYNC', `0xc00476c3') +define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364') +define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02') +define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7') +define(`NET_ADD_IF', `0xc0066f34') +define(`NET_GET_IF', `0xc0066f36') +define(`AGPIOC_ALLOCATE', `0xc0084106') +define(`HDA_IOCTL_VERB_WRITE', `0xc0084811') +define(`HDA_IOCTL_GET_WCAP', `0xc0084812') +define(`ION_IOC_MAP', `0xc0084902') +define(`ION_IOC_SHARE', `0xc0084904') +define(`ION_IOC_IMPORT', `0xc0084905') +define(`ION_IOC_SYNC', `0xc0084907') +define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03') +define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a') +define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b') +define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c') +define(`VIDIOC_G_CTRL', `0xc008561b') +define(`VIDIOC_S_CTRL', `0xc008561c') +define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7') +define(`CM_IOCGATR', `0xc0086301') +define(`CIOC_KERNEL_VERSION', `0xc008630a') +define(`DRM_IOCTL_GEM_FLINK', `0xc008640a') +define(`DRM_IOCTL_ADD_CTX', `0xc0086420') +define(`DRM_IOCTL_RM_CTX', `0xc0086421') +define(`DRM_IOCTL_GET_CTX', `0xc0086423') +define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440') +define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441') +define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442') +define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442') +define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442') +define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443') +define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443') +define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444') +define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c') +define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d') +define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456') +define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457') +define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460') +define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462') +define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465') +define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a') +define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d') +define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470') +define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473') +define(`I8K_GET_SPEED', `0xc0086985') +define(`I8K_GET_FAN', `0xc0086986') +define(`I8K_SET_FAN', `0xc0086987') +define(`UDF_RELOCATE_BLOCKS', `0xc0086c43') +define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa') +define(`PHN_GET_REG', `0xc0087000') +define(`PHN_GET_REGS', `0xc0087002') +define(`PHN_GETREG', `0xc0087005') +define(`PPS_FETCH', `0xc00870a4') +define(`PHONE_QUERY_CODEC', `0xc00871a7') +define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301') +define(`MIC_VIRTIO_COPY_DESC', `0xc0087302') +define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305') +define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364') +define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05') +define(`KVM_GET_EMULATED_CPUID', `0xc008ae09') +define(`KVM_IRQ_LINE_STATUS', `0xc008ae67') +define(`KVM_GET_MSRS', `0xc008ae88') +define(`KVM_GET_CPUID2', `0xc008ae91') +define(`KVM_GET_REG_LIST', `0xc008aeb0') +define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01') +define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04') +define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06') +define(`VHOST_GET_VRING_BASE', `0xc008af12') +define(`HIDIOCGREPORTINFO', `0xc00c4809') +define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116') +define(`USBDEVFS_IOCTL32', `0xc00c5512') +define(`UI_BEGIN_FF_ERASE', `0xc00c55ca') +define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d') +define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e') +define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b') +define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f') +define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463') +define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466') +define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468') +define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469') +define(`KVM_CREATE_DEVICE', `0xc00caee0') +define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02') +define(`MBXFB_IOCX_REG', `0xc00cf405') +define(`CAPI_GET_VERSION', `0xc0104307') +define(`CAPI_MANUFACTURER_CMD', `0xc0104320') +define(`GIGASET_VERSION', `0xc0104703') +define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801') +define(`HIDIOCGCOLLECTIONINFO', `0xc0104811') +define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822') +define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881') +define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884') +define(`ION_IOC_CUSTOM', `0xc0104906') +define(`MEMWRITEOOB', `0xc0104d03') +define(`MEMREADOOB', `0xc0104d04') +define(`MEMGETREGIONINFO', `0xc0104d08') +define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303') +define(`USBDEVFS_CONTROL32', `0xc0105500') +define(`USBDEVFS_BULK32', `0xc0105502') +define(`USBDEVFS_IOCTL', `0xc0105512') +define(`NS_GETPSTAT', `0xc0106161') +define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401') +define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403') +define(`DRM_IOCTL_SET_VERSION', `0xc0106407') +define(`DRM_IOCTL_GEM_OPEN', `0xc010640b') +define(`DRM_IOCTL_GET_CAP', `0xc010640c') +define(`DRM_IOCTL_INFO_BUFS', `0xc0106418') +define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d') +define(`DRM_IOCTL_RES_CTX', `0xc0106426') +define(`DRM_IOCTL_SG_ALLOC', `0xc0106438') +define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440') +define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440') +define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440') +define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440') +define(`DRM_IOCTL_QXL_MAP', `0xc0106441') +define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442') +define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443') +define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443') +define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444') +define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444') +define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444') +define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445') +define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446') +define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446') +define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447') +define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447') +define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449') +define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449') +define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a') +define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b') +define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d') +define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f') +define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451') +define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452') +define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453') +define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b') +define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461') +define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462') +define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464') +define(`DRM_IOCTL_RADEON_INFO', `0xc0106467') +define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c') +define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c') +define(`DRM_IOCTL_I915_REG_READ', `0xc0106471') +define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab') +define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac') +define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3') +define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5') +define(`MGSL_IOCWAITGPIO', `0xc0106d12') +define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a') +define(`DMX_GET_STC', `0xc0106f32') +define(`UVCIOC_CTRL_QUERY', `0xc0107521') +define(`BTRFS_IOC_SPACE_INFO', `0xc0109414') +define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428') +define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03') +define(`SNDCTL_COPR_RDATA', `0xc0144302') +define(`SNDCTL_COPR_RCODE', `0xc0144303') +define(`SNDCTL_COPR_RUN', `0xc0144306') +define(`SNDCTL_COPR_HALT', `0xc0144307') +define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401') +define(`VIDIOC_REQBUFS', `0xc0145608') +define(`VIDIOC_G_CROP', `0xc014563b') +define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b') +define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b') +define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6') +define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306') +define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309') +define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d') +define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314') +define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315') +define(`HIDIOCGUSAGE', `0xc018480b') +define(`HIDIOCGUCODE', `0xc018480d') +define(`MTRRIOC_GET_ENTRY', `0xc0184d03') +define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08') +define(`MEMWRITEOOB64', `0xc0184d15') +define(`MEMREADOOB64', `0xc0184d16') +define(`USBDEVFS_CONTROL', `0xc0185500') +define(`USBDEVFS_BULK', `0xc0185502') +define(`PACKET_CTRL_CMD', `0xc0185801') +define(`FITRIM', `0xc0185879') +define(`DRM_IOCTL_MAP_BUFS', `0xc0186419') +define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a') +define(`DRM_IOCTL_I810_GETBUF', `0xc0186445') +define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446') +define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446') +define(`DRM_IOCTL_I915_ALLOC', `0xc0186448') +define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d') +define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453') +define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455') +define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c') +define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b') +define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d') +define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472') +define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473') +define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0') +define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1') +define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba') +define(`I2OHRTGET', `0xc0186901') +define(`I2OLCTGET', `0xc0186902') +define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09') +define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86') +define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87') +define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371') +define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372') +define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373') +define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374') +define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375') +define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376') +define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377') +define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378') +define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379') +define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a') +define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b') +define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c') +define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d') +define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e') +define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436') +define(`KVM_TRANSLATE', `0xc018ae85') +define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01') +define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0') +define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3') +define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad') +define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae') +define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302') +define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308') +define(`ION_IOC_ALLOC', `0xc0204900') +define(`VIDIOC_G_EXT_CTRLS', `0xc0205647') +define(`VIDIOC_S_EXT_CTRLS', `0xc0205648') +define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649') +define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3') +define(`X86_IOC_RDMSR_REGS', `0xc02063a0') +define(`X86_IOC_WRMSR_REGS', `0xc02063a1') +define(`DRM_IOCTL_ADD_BUFS', `0xc0206416') +define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434') +define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440') +define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444') +define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446') +define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447') +define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c') +define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e') +define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454') +define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d') +define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e') +define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e') +define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461') +define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462') +define(`DRM_IOCTL_RADEON_CS', `0xc0206466') +define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4') +define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5') +define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2') +define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6') +define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9') +define(`FS_IOC_FIEMAP', `0xc020660b') +define(`GENWQE_PIN_MEM', `0xc020a528') +define(`GENWQE_UNPIN_MEM', `0xc020a529') +define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02') +define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315') +define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb') +define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04') +define(`FW_CDEV_IOC_GET_INFO', `0xc0282300') +define(`SYNC_IOC_MERGE', `0xc0283e01') +define(`SYNC_IOC_FENCE_INFO', `0xc0283e02') +define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05') +define(`VIDIOC_G_EDID', `0xc0285628') +define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628') +define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629') +define(`VIDIOC_S_EDID', `0xc0285629') +define(`VIDIOC_ENCODER_CMD', `0xc028564d') +define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e') +define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6') +define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700') +define(`DRM_IOCTL_GET_MAP', `0xc0286404') +define(`DRM_IOCTL_GET_CLIENT', `0xc0286405') +define(`DRM_IOCTL_ADD_MAP', `0xc0286415') +define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444') +define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461') +define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472') +define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484') +define(`I2OPARMSET', `0xc0286903') +define(`I2OPARMGET', `0xc0286904') +define(`NCP_IOC_GET_FS_INFO', `0xc0286e04') +define(`PHN_GETREGS', `0xc0287007') +define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02') +define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92') +define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05') +define(`FSL_HV_IOCTL_GETPROP', `0xc028af07') +define(`FSL_HV_IOCTL_SETPROP', `0xc028af08') +define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341') +define(`VIDIOC_QUERYMENU', `0xc02c5625') +define(`VIDIOC_G_FREQUENCY', `0xc02c5638') +define(`VIDIOC_CROPCAP', `0xc02c563a') +define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a') +define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468') +define(`MEMWRITE', `0xc0304d18') +define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302') +define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602') +define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615') +define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616') +define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4') +define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710') +define(`BINDER_WRITE_READ', `0xc0306201') +define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480') +define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7') +define(`I2OSWDL', `0xc0306905') +define(`I2OSWUL', `0xc0306906') +define(`I2OSWDEL', `0xc0306907') +define(`I2OHTML', `0xc0306909') +define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b') +define(`IPMICTL_RECEIVE_MSG', `0xc030690c') +define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04') +define(`MBXFB_IOCX_OVERLAY', `0xc030f400') +define(`VIDIOC_ENUMAUDIO', `0xc0345641') +define(`VIDIOC_ENUMAUDOUT', `0xc0345642') +define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b') +define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03') +define(`HIDIOCGFIELDINFO', `0xc038480a') +define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b') +define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c') +define(`VIDIOC_DBG_G_REGISTER', `0xc0385650') +define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1') +define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720') +define(`BTRFS_IOC_INO_PATHS', `0xc0389423') +define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424') +define(`GENWQE_SLU_UPDATE', `0xc038a550') +define(`GENWQE_SLU_READ', `0xc038a551') +define(`CAPI_GET_PROFILE', `0xc0404309') +define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519') +define(`VIDIOC_ENUM_FMT', `0xc0405602') +define(`VIDIOC_EXPBUF', `0xc0405610') +define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d') +define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e') +define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a') +define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b') +define(`VIDIOC_G_SELECTION', `0xc040565e') +define(`VIDIOC_S_SELECTION', `0xc040565f') +define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665') +define(`DRM_IOCTL_VERSION', `0xc0406400') +define(`DRM_IOCTL_DMA', `0xc0406429') +define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481') +define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0') +define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa') +define(`VIDIOC_QUERYCTRL', `0xc0445624') +define(`VIDIOC_G_MODULATOR', `0xc0445636') +define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8') +define(`BLKTRACESETUP', `0xc0481273') +define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831') +define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41') +define(`NVME_IOCTL_IO_CMD', `0xc0484e43') +define(`VIDIOC_ENUMSTD', `0xc0485619') +define(`VIDIOC_ENUMOUTPUT', `0xc0485630') +define(`VIDIOC_DECODER_CMD', `0xc0485660') +define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661') +define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8') +define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9') +define(`VIDEO_COMMAND', `0xc0486f3b') +define(`VIDEO_TRY_COMMAND', `0xc0486f3c') +define(`KVM_GET_PIT', `0xc048ae65') +define(`MMC_IOC_CMD', `0xc048b300') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349') +define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5') +define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350') +define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405') +define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510') +define(`VIDIOC_ENUMINPUT', `0xc050561a') +define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470') +define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7') +define(`VIDIOC_G_TUNER', `0xc054561d') +define(`SISFB_COMMAND', `0xc054f305') +define(`CCISS_PASSTHRU', `0xc058420b') +define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02') +define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b') +define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f') +define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604') +define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605') +define(`VIDIOC_QUERYBUF', `0xc0585609') +define(`VIDIOC_QBUF', `0xc058560f') +define(`VIDIOC_DQBUF', `0xc0585611') +define(`VIDIOC_PREPARE_BUF', `0xc058565d') +define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340') +define(`PTP_PIN_GETFUNC', `0xc0603d06') +define(`CCISS_BIG_PASSTHRU', `0xc0604212') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345') +define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471') +define(`UVCIOC_CTRL_MAP', `0xc0607520') +define(`FBIO_CURSOR', `0xc0684608') +define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8') +define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1') +define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2') +define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2') +define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411') +define(`SNDCTL_MIDI_INFO', `0xc074510c') +define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645') +define(`SOUND_MIXER_ACCESS', `0xc0804d66') +define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657') +define(`VIDIOC_S_DV_TIMINGS', `0xc0845657') +define(`VIDIOC_G_DV_TIMINGS', `0xc0845658') +define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658') +define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113') +define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123') +define(`SNDCTL_SYNTH_INFO', `0xc08c5102') +define(`SNDCTL_SYNTH_ID', `0xc08c5114') +define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332') +define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334') +define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335') +define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336') +define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664') +define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664') +define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662') +define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662') +define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74') +define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75') +define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320') +define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322') +define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352') +define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310') +define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351') +define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310') +define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666') +define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425') +define(`VIDIOC_G_PARM', `0xc0cc5615') +define(`VIDIOC_S_PARM', `0xc0cc5616') +define(`VIDIOC_G_FMT', `0xc0d05604') +define(`VIDIOC_S_FMT', `0xc0d05605') +define(`VIDIOC_TRY_FMT', `0xc0d05640') +define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667') +define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532') +define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533') +define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403') +define(`VIDIOC_CREATE_BUFS', `0xc100565c') +define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00') +define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01') +define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541') +define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511') +define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517') +define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518') +define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531') +define(`DM_VERSION', `0xc138fd00') +define(`DM_REMOVE_ALL', `0xc138fd01') +define(`DM_LIST_DEVICES', `0xc138fd02') +define(`DM_DEV_CREATE', `0xc138fd03') +define(`DM_DEV_REMOVE', `0xc138fd04') +define(`DM_DEV_RENAME', `0xc138fd05') +define(`DM_DEV_SUSPEND', `0xc138fd06') +define(`DM_DEV_STATUS', `0xc138fd07') +define(`DM_DEV_WAIT', `0xc138fd08') +define(`DM_TABLE_LOAD', `0xc138fd09') +define(`DM_TABLE_CLEAR', `0xc138fd0a') +define(`DM_TABLE_DEPS', `0xc138fd0b') +define(`DM_TABLE_STATUS', `0xc138fd0c') +define(`DM_LIST_VERSIONS', `0xc138fd0d') +define(`DM_TARGET_MSG', `0xc138fd0e') +define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f') +define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812') +define(`KVM_GET_IRQCHIP', `0xc208ae62') +define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110') +define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111') +define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1') +define(`BTRFS_IOC_SCRUB', `0xc400941b') +define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d') +define(`BTRFS_IOC_BALANCE_V2', `0xc4009420') +define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434') +define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512') +define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513') +define(`BTRFS_IOC_DEV_REPLACE', `0xca289435') +define(`SNDCTL_COPR_SENDMSG', `0xcfa44308') +define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115') +define(`SNDCTL_COPR_LOAD', `0xcfb04301') +define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411') +define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412') +define(`BTRFS_IOC_DEV_INFO', `0xd000941e') +define(`HIDIOCGUSAGES', `0xd01c4813') +define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311') +define(`WAN_IOC_ADD_FLT_RULE', `0x00006900') +define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902') +define(`PPPIOCGL2TPSTATS', `0x7436') +define(`PPPIOCGCHAN', `0x7437') +define(`PPPIOCATTCHAN', `0x7438') +define(`PPPIOCDISCONN', `0x7439') +define(`PPPIOCCONNECT', `0x743a') +define(`PPPIOCSMRRU', `0x743b') +define(`PPPIOCDETACH', `0x743c') +define(`PPPIOCATTACH', `0x743d') +define(`PPPIOCNEWUNIT', `0x743e') +define(`PPPIOCGIDLE', `0x743f') +define(`PPPIOCSDEBUG', `0x7440') +define(`PPPIOCGDEBUG', `0x7441') +define(`PPPIOCSACTIVE', `0x7446') +define(`PPPIOCSPASS', `0x7447') +define(`PPPIOCSNPMODE', `0x744b') +define(`PPPIOCGNPMODE', `0x744c') +define(`PPPIOCSCOMPRESS', `0x744d') +define(`PPPIOCXFERUNIT', `0x744e') +define(`PPPIOCSXASYNCMAP', `0x744f') +define(`PPPIOCGXASYNCMAP', `0x7450') +define(`PPPIOCSMAXCID', `0x7451') +define(`PPPIOCSMRU', `0x7452') +define(`PPPIOCGMRU', `0x7453') +define(`PPPIOCSRASYNCMAP', `0x7454') +define(`PPPIOCGRASYNCMAP', `0x7455') +define(`PPPIOCGUNIT', `0x7456') +define(`PPPIOCSASYNCMAP', `0x7457') +define(`PPPIOCGASYNCMAP', `0x7458') +define(`PPPIOCSFLAGS', `0x7459') +define(`PPPIOCGFLAGS', `0x745a') +define(`PPPIOCGCALLINFO', `0x7480') +define(`PPPIOCBUNDLE', `0x7481') +define(`PPPIOCGMPFLAGS', `0x7482') +define(`PPPIOCSMPFLAGS', `0x7483') +define(`PPPIOCSMPMTU', `0x7484') +define(`PPPIOCSMPMRU', `0x7485') +define(`PPPIOCGCOMPRESSORS', `0x7486') +define(`PPPIOCSCOMPRESSOR', `0x7487') +define(`PPPIOCGIFNAME', `0x7488') diff --git a/prebuilts/api/28.0/public/ioctl_macros b/prebuilts/api/28.0/public/ioctl_macros new file mode 100644 index 000000000..f7081d576 --- /dev/null +++ b/prebuilts/api/28.0/public/ioctl_macros @@ -0,0 +1,68 @@ +# socket ioctls allowed to unprivileged apps +define(`unpriv_sock_ioctls', ` +{ +# Socket ioctls for gathering information about the interface +SIOCGSTAMP SIOCGSTAMPNS +SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR +SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN +# Wireless extension ioctls. Primarily get functions. +SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV +SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS +SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER +}') + +# socket ioctls never allowed to unprivileged apps +define(`priv_sock_ioctls', ` +{ +# qualcomm rmnet ioctls +WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX +# socket ioctls +SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR +SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM +SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP +SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI +SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR +SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV +SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP +SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE +SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY +SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP +# device and protocol specific ioctls +SIOCDEVPRIVATE-SIOCDEVPRIVLAST +SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST +# Wireless extension ioctls +SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE +SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST +SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN +SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE +SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH +SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA +# Dev private ioctl i.e. hardware specific ioctls +SIOCIWFIRSTPRIV-SIOCIWLASTPRIV +}') + +# commonly used ioctls on unix sockets +define(`unpriv_unix_sock_ioctls', `{ + TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD +}') + +# commonly used TTY ioctls +# merge with unpriv_unix_sock_ioctls? +define(`unpriv_tty_ioctls', `{ + TIOCOUTQ FIOCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW + TCFLSH TIOCSPGRP TIOCGPGRP +}') + +# point to point ioctls +define(`ppp_ioctls', `{ +PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN +PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH +PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG +PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE +PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP +PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU +PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP +PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO +PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU +PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME +}') diff --git a/prebuilts/api/28.0/public/isolated_app.te b/prebuilts/api/28.0/public/isolated_app.te new file mode 100644 index 000000000..a907dacc2 --- /dev/null +++ b/prebuilts/api/28.0/public/isolated_app.te @@ -0,0 +1,9 @@ +### +### Services with isolatedProcess=true in their manifest. +### +### This file defines the rules for isolated apps. An "isolated +### app" is an APP with UID between AID_ISOLATED_START (99000) +### and AID_ISOLATED_END (99999). +### + +type isolated_app, domain; diff --git a/prebuilts/api/28.0/public/kernel.te b/prebuilts/api/28.0/public/kernel.te new file mode 100644 index 000000000..c8521e329 --- /dev/null +++ b/prebuilts/api/28.0/public/kernel.te @@ -0,0 +1,105 @@ +# Life begins with the kernel. +type kernel, domain, mlstrustedsubject; + +allow kernel self:global_capability_class_set sys_nice; + +# Root fs. +r_dir_file(kernel, rootfs) +allow kernel proc_cmdline:file r_file_perms; + +# Get SELinux enforcing status. +allow kernel selinuxfs:dir r_dir_perms; +allow kernel selinuxfs:file r_file_perms; + +# Get file contexts during first stage +allow kernel file_contexts_file:file r_file_perms; + +# Allow init relabel itself. +allow kernel rootfs:file relabelfrom; +allow kernel init_exec:file relabelto; +# TODO: investigate why we need this. +allow kernel init:process share; + +# cgroup filesystem initialization prior to setting the cgroup root directory label. +allow kernel unlabeled:dir search; + +# Mount usbfs. +allow kernel usbfs:filesystem mount; +allow kernel usbfs:dir search; + +# Initial setenforce by init prior to switching to init domain. +# We use dontaudit instead of allow to prevent a kernel spawned userspace +# process from turning off SELinux once enabled. +dontaudit kernel self:security setenforce; + +# Write to /proc/1/oom_adj prior to switching to init domain. +allow kernel self:global_capability_class_set sys_resource; + +# Init reboot before switching selinux domains under certain error +# conditions. Allow it. +# As part of rebooting, init writes "u" to /proc/sysrq-trigger to +# remount filesystems read-only. /data is not mounted at this point, +# so we could ignore this. For now, we allow it. +allow kernel self:global_capability_class_set sys_boot; +allow kernel proc_sysrq:file w_file_perms; + +# Allow writing to /dev/kmsg which was created prior to loading policy. +allow kernel tmpfs:chr_file write; + +# Set checkreqprot by init.rc prior to switching to init domain. +allow kernel selinuxfs:file write; +allow kernel self:security setcheckreqprot; + +# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) +allow kernel sdcard_type:file { read write }; + +# f_mtp driver accesses files from kernel context. +allow kernel mediaprovider:fd use; + +# Allow the kernel to read OBB files from app directories. (b/17428116) +# Kernel thread "loop0" reads a vold supplied file descriptor. +# Fixes CTS tests: +# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal +# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs +allow kernel vold:fd use; +allow kernel app_data_file:file read; +allow kernel asec_image_file:file read; + +# Allow reading loop device in update_engine_unittests. (b/28319454) +# and for LTP kernel tests (b/73220071) +userdebug_or_eng(` + allow kernel update_engine_data_file:file read; + allow kernel nativetest_data_file:file read; +') + +# Access to /data/media. +# This should be removed if sdcardfs is modified to alter the secontext for its +# accesses to the underlying FS. +allow kernel media_rw_data_file:dir create_dir_perms; +allow kernel media_rw_data_file:file create_file_perms; + +# Access to /data/misc/vold/virtual_disk. +allow kernel vold_data_file:file read; + +### +### neverallow rules +### + +# The initial task starts in the kernel domain (assigned via +# initial_sid_contexts), but nothing ever transitions to it. +neverallow * kernel:process { transition dyntransition }; + +# The kernel domain is never entered via an exec, nor should it +# ever execute a program outside the rootfs without changing to another domain. +# If you encounter an execute_no_trans denial on the kernel domain, then +# possible causes include: +# - The program is a kernel usermodehelper. In this case, define a domain +# for the program and domain_auto_trans() to it. +# - You are running an exploit which switched to the init task credentials +# and is then trying to exec a shell or other program. You lose! +neverallow kernel *:file { entrypoint execute_no_trans }; + +# the kernel should not be accessing files owned by other users. +# Instead of adding dac_{read_search,override}, fix the unix permissions +# on files being accessed. +neverallow kernel self:global_capability_class_set { dac_override dac_read_search }; diff --git a/prebuilts/api/28.0/public/keystore.te b/prebuilts/api/28.0/public/keystore.te new file mode 100644 index 000000000..ee5e67574 --- /dev/null +++ b/prebuilts/api/28.0/public/keystore.te @@ -0,0 +1,34 @@ +type keystore, domain; +type keystore_exec, exec_type, file_type; + +# keystore daemon +typeattribute keystore mlstrustedsubject; +binder_use(keystore) +binder_service(keystore) +binder_call(keystore, system_server) + +allow keystore keystore_data_file:dir create_dir_perms; +allow keystore keystore_data_file:notdevfile_class_set create_file_perms; +allow keystore keystore_exec:file { getattr }; + +add_service(keystore, keystore_service) +allow keystore sec_key_att_app_id_provider_service:service_manager find; + +# Check SELinux permissions. +selinux_check_access(keystore) + +r_dir_file(keystore, cgroup) + +### +### Neverallow rules +### +### Protect ourself from others +### + +neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; +neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; + +neverallow { domain -keystore -init } keystore_data_file:dir *; +neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; + +neverallow * keystore:process ptrace; diff --git a/prebuilts/api/28.0/public/lmkd.te b/prebuilts/api/28.0/public/lmkd.te new file mode 100644 index 000000000..5b6a7084b --- /dev/null +++ b/prebuilts/api/28.0/public/lmkd.te @@ -0,0 +1,49 @@ +# lmkd low memory killer daemon +type lmkd, domain, mlstrustedsubject; +type lmkd_exec, exec_type, file_type; + +allow lmkd self:global_capability_class_set { dac_override sys_resource kill }; + +# lmkd locks itself in memory, to prevent it from being +# swapped out and unable to kill other memory hogs. +# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35 +# b/16236289 +allow lmkd self:global_capability_class_set ipc_lock; + +## Open and write to /proc/PID/oom_score_adj +## TODO: maybe scope this down? +r_dir_file(lmkd, appdomain) +allow lmkd appdomain:file write; +r_dir_file(lmkd, system_server) +allow lmkd system_server:file write; + +## Writes to /sys/module/lowmemorykiller/parameters/minfree +r_dir_file(lmkd, sysfs_lowmemorykiller) +allow lmkd sysfs_lowmemorykiller:file w_file_perms; + +# Send kill signals +allow lmkd appdomain:process sigkill; + +# Clean up old cgroups +allow lmkd cgroup:dir { remove_name rmdir }; + +# Allow to read memcg stats +allow lmkd cgroup:file r_file_perms; + +# Set self to SCHED_FIFO +allow lmkd self:global_capability_class_set sys_nice; + +allow lmkd proc_zoneinfo:file r_file_perms; + +# live lock watchdog process allowed to look through /proc/ +allow lmkd domain:dir { search open read }; +allow lmkd domain:file { open read }; + +# live lock watchdog process allowed to dump process trace and +# reboot because orderly shutdown may not be possible. +allow lmkd proc_sysrq:file rw_file_perms; + +### neverallow rules + +# never honor LD_PRELOAD +neverallow * lmkd:process noatsecure; diff --git a/prebuilts/api/28.0/public/logd.te b/prebuilts/api/28.0/public/logd.te new file mode 100644 index 000000000..817a7059f --- /dev/null +++ b/prebuilts/api/28.0/public/logd.te @@ -0,0 +1,73 @@ +# android user-space log manager +type logd, domain, mlstrustedsubject; +type logd_exec, exec_type, file_type; + +# Read access to pseudo filesystems. +r_dir_file(logd, cgroup) +r_dir_file(logd, proc_kmsg) +r_dir_file(logd, proc_meminfo) +r_dir_file(logd, proc_net) + +allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control }; +allow logd self:global_capability2_class_set syslog; +allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write }; +allow logd kernel:system syslog_read; +allow logd kmsg_device:chr_file w_file_perms; +allow logd system_data_file:{ file lnk_file } r_file_perms; +allow logd pstorefs:dir search; +allow logd pstorefs:file r_file_perms; +userdebug_or_eng(` + # Access to /data/misc/logd/event-log-tags + allow logd misc_logd_file:dir r_dir_perms; + allow logd misc_logd_file:file rw_file_perms; +') +allow logd runtime_event_log_tags_file:file rw_file_perms; + +# Access device logging gating property +get_prop(logd, device_logging_prop) + +r_dir_file(logd, domain) + +allow logd kernel:system syslog_mod; + +control_logd(logd) +read_runtime_log_tags(logd) + +allow runtime_event_log_tags_file tmpfs:filesystem associate; +# Typically harmlessly blindly trying to access via liblog +# event tag mapping while in the untrusted_app domain. +# Access for that domain is controlled and gated via the +# event log tag service (albeit at a performance penalty, +# expected to be locally cached). +dontaudit domain runtime_event_log_tags_file:file { open read }; + +### +### Neverallow rules +### +### logd should NEVER do any of this + +# Block device access. +neverallow logd dev_type:blk_file { read write }; + +# ptrace any other app +neverallow logd domain:process ptrace; + +# ... and nobody may ptrace me (except on userdebug or eng builds) +neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace; + +# Write to /system. +neverallow logd system_file:dir_file_class_set write; + +# Write to files in /data/data or system files on /data +neverallow logd { app_data_file system_data_file }:dir_file_class_set write; + +# Only init is allowed to enter the logd domain via exec() +neverallow { domain -init } logd:process transition; +neverallow * logd:process dyntransition; + +# protect the event-log-tags file +neverallow { + domain + -init + -logd +} runtime_event_log_tags_file:file no_w_file_perms; diff --git a/prebuilts/api/28.0/public/logpersist.te b/prebuilts/api/28.0/public/logpersist.te new file mode 100644 index 000000000..7536cb84d --- /dev/null +++ b/prebuilts/api/28.0/public/logpersist.te @@ -0,0 +1,26 @@ +# android debug logging, logpersist domains +type logpersist, domain; + +### +### Neverallow rules +### +### logpersist should NEVER do any of this + +# Block device access. +neverallow logpersist dev_type:blk_file { read write }; + +# ptrace any other app +neverallow logpersist domain:process ptrace; + +# Write to files in /data/data or system files on /data except misc_logd_file +neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write; + +# Only init should be allowed to enter the logpersist domain via exec() +# Following is a list of debug domains we know that transition to logpersist +# neverallow_with_undefined_domains { +# domain +# -init # goldfish, logcatd, raft +# -mmi # bat, mtp8996, msmcobalt +# -system_app # Smith.apk +# } logpersist:process transition; +neverallow * logpersist:process dyntransition; diff --git a/prebuilts/api/28.0/public/mdnsd.te b/prebuilts/api/28.0/public/mdnsd.te new file mode 100644 index 000000000..ef7b065d8 --- /dev/null +++ b/prebuilts/api/28.0/public/mdnsd.te @@ -0,0 +1,2 @@ +# mdns daemon +type mdnsd, domain; diff --git a/prebuilts/api/28.0/public/mediacodec.te b/prebuilts/api/28.0/public/mediacodec.te new file mode 100644 index 000000000..e5b4a7d35 --- /dev/null +++ b/prebuilts/api/28.0/public/mediacodec.te @@ -0,0 +1,70 @@ +# mediacodec - audio and video codecs live here +type mediacodec, domain; +type mediacodec_exec, exec_type, vendor_file_type, file_type; + +typeattribute mediacodec mlstrustedsubject; + +# TODO(b/36375899) attributize this domain appropriately as hal_omx +# and use macro hal_server_domain +get_prop(mediacodec, hwservicemanager_prop) + +# can route /dev/binder traffic to /dev/vndbinder +vndbinder_use(mediacodec) + +not_full_treble(` + # on legacy devices, continue to allow /dev/binder traffic + binder_use(mediacodec) + binder_service(mediacodec) + add_service(mediacodec, mediacodec_service) + allow mediacodec mediametrics_service:service_manager find; + allow mediacodec surfaceflinger_service:service_manager find; +') +binder_call(mediacodec, binderservicedomain) +binder_call(mediacodec, appdomain) + +# Allow mediacodec access to composer sync fences +allow mediacodec hal_graphics_composer:fd use; + +allow mediacodec gpu_device:chr_file rw_file_perms; +allow mediacodec video_device:chr_file rw_file_perms; +allow mediacodec video_device:dir search; +allow mediacodec ion_device:chr_file rw_file_perms; +allow mediacodec hal_camera:fd use; + +crash_dump_fallback(mediacodec) + +add_hwservice(mediacodec, hal_codec2_hwservice) +add_hwservice(mediacodec, hal_omx_hwservice) + +hal_client_domain(mediacodec, hal_allocator) + +hal_client_domain(mediacodec, hal_cas) + +# allocate and use graphic buffers +hal_client_domain(mediacodec, hal_graphics_allocator) + +# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never +# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge +# between those two: it talks to mediacodec via Binder and talks to bufferhubd +# via PDX. Thus, there is no need to use pdx_client macro. +allow mediacodec bufferhubd:fd use; + +### +### neverallow rules +### + +# mediacodec should never execute any executable without a +# domain transition +neverallow mediacodec { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/prebuilts/api/28.0/public/mediadrmserver.te b/prebuilts/api/28.0/public/mediadrmserver.te new file mode 100644 index 000000000..123cb29a5 --- /dev/null +++ b/prebuilts/api/28.0/public/mediadrmserver.te @@ -0,0 +1,31 @@ +# mediadrmserver - mediadrm daemon +type mediadrmserver, domain; +type mediadrmserver_exec, exec_type, file_type; + +typeattribute mediadrmserver mlstrustedsubject; + +net_domain(mediadrmserver) +binder_use(mediadrmserver) +binder_call(mediadrmserver, binderservicedomain) +binder_call(mediadrmserver, appdomain) +binder_service(mediadrmserver) +hal_client_domain(mediadrmserver, hal_drm) + +add_service(mediadrmserver, mediadrmserver_service) +allow mediadrmserver mediaserver_service:service_manager find; +allow mediadrmserver mediametrics_service:service_manager find; +allow mediadrmserver processinfo_service:service_manager find; +allow mediadrmserver surfaceflinger_service:service_manager find; +allow mediadrmserver system_file:dir r_dir_perms; + +binder_call(mediadrmserver, mediacodec) +### +### neverallow rules +### + +# mediadrmserver should never execute any executable without a +# domain transition +neverallow mediadrmserver { file_type fs_type }:file execute_no_trans; + +# do not allow privileged socket ioctl commands +neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; diff --git a/prebuilts/api/28.0/public/mediaextractor.te b/prebuilts/api/28.0/public/mediaextractor.te new file mode 100644 index 000000000..44387fd47 --- /dev/null +++ b/prebuilts/api/28.0/public/mediaextractor.te @@ -0,0 +1,76 @@ +# mediaextractor - multimedia daemon +type mediaextractor, domain; +type mediaextractor_exec, exec_type, file_type; + +typeattribute mediaextractor mlstrustedsubject; + +binder_use(mediaextractor) +binder_call(mediaextractor, binderservicedomain) +binder_call(mediaextractor, appdomain) +binder_service(mediaextractor) + +add_service(mediaextractor, mediaextractor_service) +allow mediaextractor mediametrics_service:service_manager find; +allow mediaextractor hidl_token_hwservice:hwservice_manager find; + +allow mediaextractor system_server:fd use; + +hal_client_domain(mediaextractor, hal_cas) + +r_dir_file(mediaextractor, cgroup) +allow mediaextractor proc_meminfo:file r_file_perms; + +crash_dump_fallback(mediaextractor) + +# Suppress denials from sdcardfs (b/67454004) +dontaudit mediaextractor sdcardfs:file read; + +# allow mediaextractor read permissions for file sources +allow mediaextractor media_rw_data_file:file { getattr read }; +allow mediaextractor app_data_file:file { getattr read }; + +# Read resources from open apk files passed over Binder +allow mediaextractor apk_data_file:file { read getattr }; +allow mediaextractor asec_apk_file:file { read getattr }; +allow mediaextractor ringtone_file:file { read getattr }; + +# scan extractor library directory to dynamically load extractors +allow mediaextractor system_file:dir { read open }; + +userdebug_or_eng(` + # Allow extractor to add update service. + add_service(mediaextractor, mediaextractor_update_service) + + # Allow extractor to load media extractor plugins from update apk. + allow mediaextractor apk_data_file:dir search; + allow mediaextractor apk_data_file:file { execute open }; +') + +### +### neverallow rules +### + +# mediaextractor should never execute any executable without a +# domain transition +neverallow mediaextractor { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *; + +# mediaextractor should not be opening /data files directly. Any files +# it touches (with a few exceptions) need to be passed to it via a file +# descriptor opened outside the process. +neverallow mediaextractor { + data_file_type + -zoneinfo_data_file # time zone data from /data/misc/zoneinfo + userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins +}:file open; diff --git a/prebuilts/api/28.0/public/mediametrics.te b/prebuilts/api/28.0/public/mediametrics.te new file mode 100644 index 000000000..ada90cca3 --- /dev/null +++ b/prebuilts/api/28.0/public/mediametrics.te @@ -0,0 +1,41 @@ +# mediametrics - daemon for collecting media.metrics data +type mediametrics, domain; +type mediametrics_exec, exec_type, file_type; + + +binder_use(mediametrics) +binder_call(mediametrics, binderservicedomain) +binder_service(mediametrics) + +add_service(mediametrics, mediametrics_service) + +allow mediametrics system_server:fd use; + +r_dir_file(mediametrics, cgroup) +allow mediametrics proc_meminfo:file r_file_perms; + +# allows interactions with dumpsys to GMScore +allow mediametrics app_data_file:file write; + +# allow access to package manager for uid->apk mapping +allow mediametrics package_native_service:service_manager find; + +### +### neverallow rules +### + +# mediametrics should never execute any executable without a +# domain transition +neverallow mediametrics { file_type fs_type }:file execute_no_trans; + +# The goal of the mediaserver split is to place media processing code into +# restrictive sandboxes with limited responsibilities and thus limited +# permissions. Example: Audioserver is only responsible for controlling audio +# hardware and processing audio content. Cameraserver does the same for camera +# hardware/content. Etc. +# +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/prebuilts/api/28.0/public/mediaprovider.te b/prebuilts/api/28.0/public/mediaprovider.te new file mode 100644 index 000000000..24170a5cf --- /dev/null +++ b/prebuilts/api/28.0/public/mediaprovider.te @@ -0,0 +1,6 @@ +### +### A domain for android.process.media, which contains both +### MediaProvider and DownloadProvider and associated services. +### + +type mediaprovider, domain; diff --git a/prebuilts/api/28.0/public/mediaserver.te b/prebuilts/api/28.0/public/mediaserver.te new file mode 100644 index 000000000..f0c94edc0 --- /dev/null +++ b/prebuilts/api/28.0/public/mediaserver.te @@ -0,0 +1,147 @@ +# mediaserver - multimedia daemon +type mediaserver, domain; +type mediaserver_exec, exec_type, file_type; + +typeattribute mediaserver mlstrustedsubject; + +# TODO(b/36375899): replace with hal_client_domain macro on hal_omx +typeattribute mediaserver halclientdomain; + +net_domain(mediaserver) + +r_dir_file(mediaserver, sdcard_type) +r_dir_file(mediaserver, cgroup) + +# stat /proc/self +allow mediaserver proc:lnk_file getattr; + +# open /vendor/lib/mediadrm +allow mediaserver system_file:dir r_dir_perms; + +userdebug_or_eng(` + # ptrace to processes in the same domain for memory leak detection + allow mediaserver self:process ptrace; +') + +binder_use(mediaserver) +binder_call(mediaserver, binderservicedomain) +binder_call(mediaserver, appdomain) +binder_service(mediaserver) + +allow mediaserver media_data_file:dir create_dir_perms; +allow mediaserver media_data_file:file create_file_perms; +allow mediaserver app_data_file:dir search; +allow mediaserver app_data_file:file rw_file_perms; +allow mediaserver sdcard_type:file write; +allow mediaserver gpu_device:chr_file rw_file_perms; +allow mediaserver video_device:dir r_dir_perms; +allow mediaserver video_device:chr_file rw_file_perms; + +set_prop(mediaserver, audio_prop) + +# Read resources from open apk files passed over Binder. +allow mediaserver apk_data_file:file { read getattr }; +allow mediaserver asec_apk_file:file { read getattr }; +allow mediaserver ringtone_file:file { read getattr }; + +# Read /data/data/com.android.providers.telephony files passed over Binder. +allow mediaserver radio_data_file:file { read getattr }; + +# Use pipes passed over Binder from app domains. +allow mediaserver appdomain:fifo_file { getattr read write }; + +allow mediaserver rpmsg_device:chr_file rw_file_perms; + +# Inter System processes communicate over named pipe (FIFO) +allow mediaserver system_server:fifo_file r_file_perms; + +r_dir_file(mediaserver, media_rw_data_file) + +# Grant access to read files on appfuse. +allow mediaserver app_fuse_file:file { read getattr }; + +# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid +allow mediaserver qtaguid_proc:file rw_file_perms; +allow mediaserver qtaguid_device:chr_file r_file_perms; + +# Needed on some devices for playing DRM protected content, +# but seems expected and appropriate for all devices. +unix_socket_connect(mediaserver, drmserver, drmserver) + +# Needed on some devices for playing audio on paired BT device, +# but seems appropriate for all devices. +unix_socket_connect(mediaserver, bluetooth, bluetooth) + +add_service(mediaserver, mediaserver_service) +allow mediaserver activity_service:service_manager find; +allow mediaserver appops_service:service_manager find; +allow mediaserver audioserver_service:service_manager find; +allow mediaserver cameraserver_service:service_manager find; +allow mediaserver batterystats_service:service_manager find; +allow mediaserver drmserver_service:service_manager find; +allow mediaserver mediaextractor_service:service_manager find; +allow mediaserver mediacodec_service:service_manager find; +allow mediaserver mediametrics_service:service_manager find; +allow mediaserver media_session_service:service_manager find; +allow mediaserver permission_service:service_manager find; +allow mediaserver power_service:service_manager find; +allow mediaserver processinfo_service:service_manager find; +allow mediaserver scheduling_policy_service:service_manager find; +allow mediaserver surfaceflinger_service:service_manager find; + +# for ModDrm/MediaPlayer +allow mediaserver mediadrmserver_service:service_manager find; + +# For interfacing with OMX HAL +allow mediaserver hidl_token_hwservice:hwservice_manager find; + +# /oem access +allow mediaserver oemfs:dir search; +allow mediaserver oemfs:file r_file_perms; + +use_drmservice(mediaserver) +allow mediaserver drmserver:drmservice { + consumeRights + setPlaybackStatus + openDecryptSession + closeDecryptSession + initializeDecryptUnit + decrypt + finalizeDecryptUnit + pread +}; + +# only allow unprivileged socket ioctl commands +allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } + ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; + +# Access to /data/media. +# This should be removed if sdcardfs is modified to alter the secontext for its +# accesses to the underlying FS. +allow mediaserver media_rw_data_file:dir create_dir_perms; +allow mediaserver media_rw_data_file:file create_file_perms; + +# Access to media in /data/preloads +allow mediaserver preloads_media_file:file { getattr read ioctl }; + +allow mediaserver ion_device:chr_file r_file_perms; +allow mediaserver hal_graphics_allocator:fd use; +allow mediaserver hal_graphics_composer:fd use; +allow mediaserver hal_camera:fd use; + +allow mediaserver system_server:fd use; + +hal_client_domain(mediaserver, hal_allocator) + +binder_call(mediaserver, mediacodec) + +### +### neverallow rules +### + +# mediaserver should never execute any executable without a +# domain transition +neverallow mediaserver { file_type fs_type }:file execute_no_trans; + +# do not allow privileged socket ioctl commands +neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; diff --git a/prebuilts/api/28.0/public/modprobe.te b/prebuilts/api/28.0/public/modprobe.te new file mode 100644 index 000000000..119040921 --- /dev/null +++ b/prebuilts/api/28.0/public/modprobe.te @@ -0,0 +1,9 @@ +type modprobe, domain; + +allow modprobe proc_modules:file r_file_perms; +allow modprobe self:global_capability_class_set sys_module; +allow modprobe kernel:key search; +recovery_only(` + allow modprobe rootfs:system module_load; + allow modprobe rootfs:file r_file_perms; +') diff --git a/prebuilts/api/28.0/public/mtp.te b/prebuilts/api/28.0/public/mtp.te new file mode 100644 index 000000000..7256bcf55 --- /dev/null +++ b/prebuilts/api/28.0/public/mtp.te @@ -0,0 +1,11 @@ +# vpn tunneling protocol manager +type mtp, domain; +type mtp_exec, exec_type, file_type; + +net_domain(mtp) + +# pptp policy +allow mtp self:socket create_socket_perms_no_ioctl; +allow mtp self:global_capability_class_set net_raw; +allow mtp ppp:process signal; +allow mtp vpn_data_file:dir search; diff --git a/prebuilts/api/28.0/public/net.te b/prebuilts/api/28.0/public/net.te new file mode 100644 index 000000000..7e00ed845 --- /dev/null +++ b/prebuilts/api/28.0/public/net.te @@ -0,0 +1,4 @@ +# Network types +type node, node_type; +type netif, netif_type; +type port, port_type; diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te new file mode 100644 index 000000000..0e9e08ca7 --- /dev/null +++ b/prebuilts/api/28.0/public/netd.te @@ -0,0 +1,148 @@ +# network manager +type netd, domain, mlstrustedsubject; +type netd_exec, exec_type, file_type; + +net_domain(netd) +# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls. +allowxperm netd self:udp_socket ioctl priv_sock_ioctls; + +r_dir_file(netd, cgroup) + +allow netd system_server:fd use; + +allow netd self:global_capability_class_set { net_admin net_raw kill }; +# Note: fsetid is deliberately not included above. fsetid checks are +# triggered by chmod on a directory or file owned by a group other +# than one of the groups assigned to the current process to see if +# the setgid bit should be cleared, regardless of whether the setgid +# bit was even set. We do not appear to truly need this capability +# for netd to operate. +dontaudit netd self:global_capability_class_set fsetid; + +allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow netd self:netlink_route_socket nlmsg_write; +allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl; +allow netd self:netlink_socket create_socket_perms_no_ioctl; +allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow netd self:netlink_generic_socket create_socket_perms_no_ioctl; +allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl; +allow netd shell_exec:file rx_file_perms; +allow netd system_file:file x_file_perms; +not_full_treble(`allow netd vendor_file:file x_file_perms;') +allow netd devpts:chr_file rw_file_perms; + +# Acquire advisory lock on /system/etc/xtables.lock +allow netd system_file:file lock; + +# Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have +# TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration +# complete +allow netd qtaguid_proc:file rw_file_perms; +# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have. +allow netd qtaguid_device:chr_file r_file_perms; + +r_dir_file(netd, proc_net) +# For /proc/sys/net/ipv[46]/route/flush. +allow netd proc_net:file rw_file_perms; + +# Enables PppController and interface enumeration (among others) +allow netd sysfs:dir r_dir_perms; +r_dir_file(netd, sysfs_net) + +# Allows setting interface MTU +allow netd sysfs_net:file w_file_perms; + +# TODO: added to match above sysfs rule. Remove me? +allow netd sysfs_usb:file write; + +allow netd fs_bpf:dir create_dir_perms; +allow netd fs_bpf:file create_file_perms; + +# TODO: netd previously thought it needed these permissions to do WiFi related +# work. However, after all the WiFi stuff is gone, we still need them. +# Why? +allow netd self:global_capability_class_set { dac_override chown }; + +# Needed to update /data/misc/net/rt_tables +allow netd net_data_file:file create_file_perms; +allow netd net_data_file:dir rw_dir_perms; +allow netd self:global_capability_class_set fowner; + +# Needed to lock the iptables lock. +allow netd system_file:file lock; + +# Allow netd to spawn dnsmasq in it's own domain +allow netd dnsmasq:process signal; + +# Allow netd to start clatd in its own domain +allow netd clatd:process signal; + +set_prop(netd, ctl_mdnsd_prop) +set_prop(netd, netd_stable_secret_prop) + +# Allow netd to publish a binder service and make binder calls. +binder_use(netd) +add_service(netd, netd_service) +allow netd dumpstate:fifo_file { getattr write }; + +# Allow netd to call into the system server so it can check permissions. +allow netd system_server:binder call; +allow netd permission_service:service_manager find; + +# Allow netd to talk to the framework service which collects netd events. +allow netd netd_listener_service:service_manager find; + +# Allow netd to operate on sockets that are passed to it. +allow netd netdomain:{ + tcp_socket + udp_socket + rawip_socket + tun_socket +} { read write getattr setattr getopt setopt }; +allow netd netdomain:fd use; + +# give netd permission to read and write netlink xfrm +allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read }; + +# give netd permission to use eBPF functionalities +allow netd self:bpf { map_create map_read map_write }; + +# Allow netd to register as hal server. +add_hwservice(netd, system_net_netd_hwservice) +hwbinder_use(netd) +get_prop(netd, hwservicemanager_prop) + +### +### Neverallow rules +### +### netd should NEVER do any of this + +# Block device access. +neverallow netd dev_type:blk_file { read write }; + +# ptrace any other app +neverallow netd { domain }:process ptrace; + +# Write to /system. +neverallow netd system_file:dir_file_class_set write; + +# Write to files in /data/data or system files on /data +neverallow netd { app_data_file system_data_file }:dir_file_class_set write; + +# only system_server and dumpstate may find netd service +neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find; + +# only netd can create the bpf maps +neverallow { domain -netd } netd:bpf { map_create }; + +# apps may not interact with netd over binder. +neverallow appdomain netd:binder call; +neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call; + +# persist.netd.stable_secret contains RFC 7217 secret key which should never be +# leaked to other processes. Make sure it never leaks. +neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms; + +# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret, +# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy. +neverallow { domain -netd -init } netd_stable_secret_prop:property_service set; diff --git a/prebuilts/api/28.0/public/netutils_wrapper.te b/prebuilts/api/28.0/public/netutils_wrapper.te new file mode 100644 index 000000000..c844762c8 --- /dev/null +++ b/prebuilts/api/28.0/public/netutils_wrapper.te @@ -0,0 +1,4 @@ +type netutils_wrapper, domain; +type netutils_wrapper_exec, exec_type, file_type; + +neverallow domain netutils_wrapper_exec:file execute_no_trans; diff --git a/prebuilts/api/28.0/public/neverallow_macros b/prebuilts/api/28.0/public/neverallow_macros new file mode 100644 index 000000000..e2b6ed1af --- /dev/null +++ b/prebuilts/api/28.0/public/neverallow_macros @@ -0,0 +1,15 @@ +# +# Common neverallow permissions +define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }') +define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }') +define(`no_x_file_perms', `{ execute execute_no_trans }') +define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }') + +##################################### +# neverallow_establish_socket_comms(src, dst) +# neverallow src domain establishing socket connections to dst domain. +# +define(`neverallow_establish_socket_comms', ` + neverallow $1 $2:socket_class_set { connect sendto }; + neverallow $1 $2:unix_stream_socket connectto; +') diff --git a/prebuilts/api/28.0/public/nfc.te b/prebuilts/api/28.0/public/nfc.te new file mode 100644 index 000000000..e3a03e796 --- /dev/null +++ b/prebuilts/api/28.0/public/nfc.te @@ -0,0 +1,2 @@ +# nfc subsystem +type nfc, domain; diff --git a/prebuilts/api/28.0/public/otapreopt_chroot.te b/prebuilts/api/28.0/public/otapreopt_chroot.te new file mode 100644 index 000000000..894363ab1 --- /dev/null +++ b/prebuilts/api/28.0/public/otapreopt_chroot.te @@ -0,0 +1,20 @@ +# otapreopt_chroot executable +type otapreopt_chroot, domain; +type otapreopt_chroot_exec, exec_type, file_type; + +# Chroot preparation and execution. +# We need to create an unshared mount namespace, and then mount /data. +allow otapreopt_chroot postinstall_file:dir { search mounton }; +allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot }; + +# This is required to mount /vendor. +allow otapreopt_chroot block_device:dir search; +allow otapreopt_chroot labeledfs:filesystem mount; +# Mounting /vendor can have this side-effect. Ignore denial. +dontaudit otapreopt_chroot kernel:process setsched; + +# Allow otapreopt to use file descriptors from update-engine. It will +# close them immediately. +allow otapreopt_chroot postinstall:fd use; +allow otapreopt_chroot update_engine:fd use; +allow otapreopt_chroot update_engine:fifo_file write; diff --git a/prebuilts/api/28.0/public/otapreopt_slot.te b/prebuilts/api/28.0/public/otapreopt_slot.te new file mode 100644 index 000000000..6551864c3 --- /dev/null +++ b/prebuilts/api/28.0/public/otapreopt_slot.te @@ -0,0 +1,27 @@ +# otapreopt_slot +# +# This command set moves the artifact corresponding to the current slot +# from /data/ota to /data/dalvik-cache. + +type otapreopt_slot, domain, mlstrustedsubject; +type otapreopt_slot_exec, exec_type, file_type; + + +# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up +# the directory afterwards. For logging of aggregate size, we need getattr. +allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir }; +allow otapreopt_slot ota_data_file:{ file lnk_file } getattr; +# (du follows symlinks) +allow otapreopt_slot ota_data_file:lnk_file read; + +# Delete old content of the dalvik-cache. +allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write }; +allow otapreopt_slot dalvikcache_data_file:file { getattr unlink }; +allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink }; + +# Allow cppreopts to execute itself using #!/system/bin/sh +allow otapreopt_slot shell_exec:file rx_file_perms; + +# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions. +# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache. +allow otapreopt_slot toolbox_exec:file rx_file_perms; diff --git a/prebuilts/api/28.0/public/performanced.te b/prebuilts/api/28.0/public/performanced.te new file mode 100644 index 000000000..248d345d1 --- /dev/null +++ b/prebuilts/api/28.0/public/performanced.te @@ -0,0 +1,30 @@ +# performanced +type performanced, domain, mlstrustedsubject; +type performanced_exec, exec_type, file_type; + +# Needed to check for app permissions. +binder_use(performanced) +binder_call(performanced, system_server) +allow performanced permission_service:service_manager find; + +pdx_server(performanced, performance_client) + +# TODO: use file caps to obtain sys_nice instead of setuid / setgid. +allow performanced self:global_capability_class_set { setuid setgid sys_nice }; + +# Access /proc to validate we're only affecting threads in the same thread group. +# Performanced also shields unbound kernel threads. It scans every task in the +# root cpu set, but only affects the kernel threads. +r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger }) +dontaudit performanced domain:dir read; +allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched; + +# These /proc accesses only show up in permissive mode but they +# generate a lot of noise in the log. +userdebug_or_eng(` + dontaudit performanced domain:dir open; + dontaudit performanced domain:file { open read getattr }; +') + +# Access /dev/cpuset/cpuset.cpus +r_dir_file(performanced, cgroup) diff --git a/prebuilts/api/28.0/public/perfprofd.te b/prebuilts/api/28.0/public/perfprofd.te new file mode 100644 index 000000000..f067af5d4 --- /dev/null +++ b/prebuilts/api/28.0/public/perfprofd.te @@ -0,0 +1,119 @@ +# perfprofd - perf profile collection daemon +type perfprofd, domain; +type perfprofd_exec, exec_type, file_type; + +userdebug_or_eng(` + + typeattribute perfprofd coredomain; + typeattribute perfprofd mlstrustedsubject; + + # perfprofd access to sysfs directory structure. + allow perfprofd sysfs_type:dir search; + + # perfprofd needs to control CPU hot-plug in order to avoid kernel + # perfevents problems in cases where CPU goes on/off during measurement; + # this means read access to /sys/devices/system/cpu/possible + # and read/write access to /sys/devices/system/cpu/cpu*/online + allow perfprofd sysfs_devices_system_cpu:file rw_file_perms; + + # perfprofd checks for the existence of and then invokes simpleperf; + # simpleperf retains perfprofd domain after exec + allow perfprofd system_file:file rx_file_perms; + + # perfprofd reads a config file from /data/data/com.google.android.gms/files + allow perfprofd app_data_file:file r_file_perms; + allow perfprofd app_data_file:dir search; + allow perfprofd self:global_capability_class_set { dac_override }; + + # perfprofd opens a file for writing in /data/misc/perfprofd + allow perfprofd perfprofd_data_file:file create_file_perms; + allow perfprofd perfprofd_data_file:dir rw_dir_perms; + + # perfprofd uses the system log + read_logd(perfprofd); + write_logd(perfprofd); + + # perfprofd inspects /sys/power/wake_unlock + wakelock_use(perfprofd); + + # perfprofd looks at thermals. + allow perfprofd sysfs_thermal:dir r_dir_perms; + + # perfprofd checks power_supply. + r_dir_file(perfprofd, sysfs_batteryinfo) + + # simpleperf reads kernel notes. + allow perfprofd sysfs_kernel_notes:file r_file_perms; + + # Simpleperf & perfprofd query a range of proc stats. + allow perfprofd proc_loadavg:file r_file_perms; + allow perfprofd proc_stat:file r_file_perms; + allow perfprofd proc_modules:file r_file_perms; + + # simpleperf writes to perf_event_paranoid under /proc. + allow perfprofd proc_perf:file write; + + # Simpleperf: kptr_restrict. This would be required to dump kernel symbols. + dontaudit perfprofd proc_security:file *; + + # simpleperf uses ioctl() to turn on kernel perf events measurements + allow perfprofd self:global_capability_class_set sys_admin; + + # simpleperf needs to examine /proc to collect task/thread info + r_dir_file(perfprofd, domain) + + # simpleperf needs to access /proc//exec + allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace }; + neverallow perfprofd domain:process ptrace; + + # simpleperf needs open/read any file that turns up in a profile + # to see whether it has a build ID + allow perfprofd exec_type:file r_file_perms; + # App & ART artifacts. + r_dir_file(perfprofd, apk_data_file) + r_dir_file(perfprofd, dalvikcache_data_file) + # Vendor libraries. + r_dir_file(perfprofd, vendor_file) + # Vendor apps. + r_dir_file(perfprofd, vendor_app_file) + + # simpleperf will set security.perf_harden to enable access to perf_event_open() + set_prop(perfprofd, shell_prop) + + # simpleperf examines debugfs on startup to collect tracepoint event types + r_dir_file(perfprofd, debugfs_tracing) + r_dir_file(perfprofd, debugfs_tracing_debug) + + # simpleperf is going to execute "sleep" + allow perfprofd toolbox_exec:file rx_file_perms; + # simpleperf is going to execute "mv" on a temp file + allow perfprofd shell_exec:file rx_file_perms; + + # needed for simpleperf on some kernels + allow perfprofd self:global_capability_class_set ipc_lock; + + # simpleperf attempts to put a temp file into /data/local/tmp. Do not allow, + # use the fallback cwd code, do not spam the log. But ensure this is correctly + # removed at some point. b/70232908. + dontaudit perfprofd shell_data_file:dir *; + dontaudit perfprofd shell_data_file:file *; + + # Allow perfprofd to publish a binder service and make binder calls. + binder_use(perfprofd) + add_service(perfprofd, perfprofd_service) + + # Use devpts for streams from cmd. + # + # This is normally granted to binderservicedomain, but this service + # has tighter restrictions on the callers (see below), so must enable + # this manually. + allow perfprofd devpts:chr_file rw_file_perms; + + # Use socket & pipe supplied by su, for cmd perfprofd dump. + allow perfprofd su:unix_stream_socket { read write getattr sendto }; + allow perfprofd su:fifo_file r_file_perms; + + # Allow perfprofd to submit to dropbox. + allow perfprofd dropbox_service:service_manager find; + binder_call(perfprofd, system_server) +') diff --git a/prebuilts/api/28.0/public/platform_app.te b/prebuilts/api/28.0/public/platform_app.te new file mode 100644 index 000000000..9b1faf0f6 --- /dev/null +++ b/prebuilts/api/28.0/public/platform_app.te @@ -0,0 +1,5 @@ +### +### Apps signed with the platform key. +### + +type platform_app, domain; diff --git a/prebuilts/api/28.0/public/postinstall.te b/prebuilts/api/28.0/public/postinstall.te new file mode 100644 index 000000000..7fd4dc611 --- /dev/null +++ b/prebuilts/api/28.0/public/postinstall.te @@ -0,0 +1,36 @@ +# Domain where the postinstall program runs during the update. +# Extend the permissions in this domain to allow this program to access other +# files needed by the specific device on your device's sepolicy directory. +type postinstall, domain; + +# Allow postinstall to write to its stdout/stderr when redirected via pipes to +# update_engine. +allow postinstall update_engine_common:fd use; +allow postinstall update_engine_common:fifo_file rw_file_perms; + +# Allow postinstall to read and execute directories and files in the same +# mounted location. +allow postinstall postinstall_file:file rx_file_perms; +allow postinstall postinstall_file:lnk_file r_file_perms; +allow postinstall postinstall_file:dir r_dir_perms; + +# Allow postinstall to execute the shell or other system executables. +allow postinstall shell_exec:file rx_file_perms; +allow postinstall system_file:file rx_file_perms; +allow postinstall toolbox_exec:file rx_file_perms; + +# +# For OTA dexopt. +# + +# Allow postinstall scripts to talk to the system server. +binder_use(postinstall) +binder_call(postinstall, system_server) + +# Need to talk to the otadexopt service. +allow postinstall otadexopt_service:service_manager find; + +# No domain other than update_engine and recovery (via update_engine_sideload) +# should transition to postinstall, as it is only meant to run during the +# update. +neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition }; diff --git a/prebuilts/api/28.0/public/postinstall_dexopt.te b/prebuilts/api/28.0/public/postinstall_dexopt.te new file mode 100644 index 000000000..82215300a --- /dev/null +++ b/prebuilts/api/28.0/public/postinstall_dexopt.te @@ -0,0 +1,57 @@ +# Domain for the otapreopt executable, running under postinstall_dexopt +# +# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such, +# this is derived and adapted from installd.te. + +type postinstall_dexopt, domain; + +allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid }; + +allow postinstall_dexopt postinstall_file:filesystem getattr; +allow postinstall_dexopt postinstall_file:dir { getattr search }; +allow postinstall_dexopt postinstall_file:lnk_file { getattr read }; +allow postinstall_dexopt proc_filesystems:file { getattr open read }; +allow postinstall_dexopt tmpfs:file read; + +# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access +# here and having to relabel the directory. + +# Read app data (APKs) as input to dex2oat. +r_dir_file(postinstall_dexopt, apk_data_file) +# Read vendor app data (APKs) as input to dex2oat. +r_dir_file(postinstall_dexopt, vendor_app_file) +# Access to app oat directory. +r_dir_file(postinstall_dexopt, dalvikcache_data_file) + +# Read profile data. +allow postinstall_dexopt user_profile_data_file:dir { getattr search }; +allow postinstall_dexopt user_profile_data_file:file r_file_perms; + +# Write to /data/ota(/*). Create symlinks in /data/ota(/*) +allow postinstall_dexopt ota_data_file:dir create_dir_perms; +allow postinstall_dexopt ota_data_file:file create_file_perms; +allow postinstall_dexopt ota_data_file:lnk_file create_file_perms; + +# Need to write .b files, which are dalvikcache_data_file, not ota_data_file. +# TODO: See whether we can apply ota_data_file? +allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms; +allow postinstall_dexopt dalvikcache_data_file:file create_file_perms; + +# Allow labeling of files under /data/app/com.example/oat/ +# TODO: Restrict to .b suffix? +allow postinstall_dexopt dalvikcache_data_file:dir relabelto; +allow postinstall_dexopt dalvikcache_data_file:file { relabelto link }; + +# Check validity of SELinux context before use. +selinux_check_context(postinstall_dexopt) +selinux_check_access(postinstall_dexopt) + + +# Postinstall wants to know about our child. +allow postinstall_dexopt postinstall:process sigchld; + +# Allow otapreopt to use file descriptors from otapreopt_chroot. +# TODO: Probably we can actually close file descriptors... +allow postinstall_dexopt otapreopt_chroot:fd use; + +allow postinstall_dexopt cpuctl_device:dir search; diff --git a/prebuilts/api/28.0/public/ppp.te b/prebuilts/api/28.0/public/ppp.te new file mode 100644 index 000000000..9340dee87 --- /dev/null +++ b/prebuilts/api/28.0/public/ppp.te @@ -0,0 +1,23 @@ +# Point to Point Protocol daemon +type ppp, domain; +type ppp_device, dev_type; +type ppp_exec, exec_type, file_type; + +net_domain(ppp) + +r_dir_file(ppp, proc_net) + +allow ppp mtp:socket rw_socket_perms; + +# ioctls needed for VPN. +allowxperm ppp self:udp_socket ioctl priv_sock_ioctls; +allowxperm ppp mtp:socket ioctl ppp_ioctls; + +allow ppp mtp:unix_dgram_socket rw_socket_perms; +allow ppp ppp_device:chr_file rw_file_perms; +allow ppp self:global_capability_class_set net_admin; +allow ppp system_file:file rx_file_perms; +not_full_treble(`allow ppp vendor_file:file rx_file_perms;') +allow ppp vpn_data_file:dir w_dir_perms; +allow ppp vpn_data_file:file create_file_perms; +allow ppp mtp:fd use; diff --git a/prebuilts/api/28.0/public/preopt2cachename.te b/prebuilts/api/28.0/public/preopt2cachename.te new file mode 100644 index 000000000..49df64725 --- /dev/null +++ b/prebuilts/api/28.0/public/preopt2cachename.te @@ -0,0 +1,13 @@ +# preopt2cachename executable +# +# This executable translates names from the preopted versions the build system +# creates to the names the runtime expects in the data directory. +type preopt2cachename, domain; +type preopt2cachename_exec, exec_type, file_type; + +# Allow write to stdout. +allow preopt2cachename cppreopts:fd use; +allow preopt2cachename cppreopts:fifo_file { getattr read write }; + +# Allow write to logcat. +allow preopt2cachename proc_net:file r_file_perms; diff --git a/prebuilts/api/28.0/public/priv_app.te b/prebuilts/api/28.0/public/priv_app.te new file mode 100644 index 000000000..0761fc30f --- /dev/null +++ b/prebuilts/api/28.0/public/priv_app.te @@ -0,0 +1,5 @@ +### +### A domain for further sandboxing privileged apps. +### + +type priv_app, domain; diff --git a/prebuilts/api/28.0/public/profman.te b/prebuilts/api/28.0/public/profman.te new file mode 100644 index 000000000..a5c18b51d --- /dev/null +++ b/prebuilts/api/28.0/public/profman.te @@ -0,0 +1,26 @@ +# profman +type profman, domain; +type profman_exec, exec_type, file_type; + +allow profman user_profile_data_file:file { getattr read write lock }; + +# Dumping profile info opens the application APK file for pretty printing. +allow profman asec_apk_file:file { read }; +allow profman apk_data_file:file { read }; +allow profman oemfs:file { read }; +# Reading an APK opens a ZipArchive, which unpack to tmpfs. +allow profman tmpfs:file { read }; +allow profman profman_dump_data_file:file { write }; + +allow profman installd:fd use; + +# Allow profman to analyze profiles for the secondary dex files. These +# are application dex files reported back to the framework when using +# BaseDexClassLoader. +allow profman app_data_file:file { getattr read write lock }; + +### +### neverallow rules +### + +neverallow profman app_data_file:notdevfile_class_set open; diff --git a/prebuilts/api/28.0/public/property.te b/prebuilts/api/28.0/public/property.te new file mode 100644 index 000000000..f757936d7 --- /dev/null +++ b/prebuilts/api/28.0/public/property.te @@ -0,0 +1,217 @@ +type audio_prop, property_type, core_property_type; +type boottime_prop, property_type; +type bluetooth_a2dp_offload_prop, property_type; +type bluetooth_prop, property_type; +type bootloader_boot_reason_prop, property_type; +type config_prop, property_type, core_property_type; +type cppreopt_prop, property_type, core_property_type; +type ctl_bootanim_prop, property_type; +type ctl_bugreport_prop, property_type; +type ctl_console_prop, property_type; +type ctl_default_prop, property_type; +type ctl_dumpstate_prop, property_type; +type ctl_fuse_prop, property_type; +type ctl_mdnsd_prop, property_type; +type ctl_rildaemon_prop, property_type; +type dalvik_prop, property_type, core_property_type; +type debuggerd_prop, property_type, core_property_type; +type debug_prop, property_type, core_property_type; +type default_prop, property_type, core_property_type; +type device_logging_prop, property_type; +type dhcp_prop, property_type, core_property_type; +type dumpstate_options_prop, property_type; +type dumpstate_prop, property_type, core_property_type; +type exported_secure_prop, property_type; +type ffs_prop, property_type, core_property_type; +type fingerprint_prop, property_type, core_property_type; +type firstboot_prop, property_type; +type hwservicemanager_prop, property_type; +type last_boot_reason_prop, property_type; +type logd_prop, property_type, core_property_type; +type logpersistd_logging_prop, property_type; +type log_prop, property_type, log_property_type; +type log_tag_prop, property_type, log_property_type; +type lowpan_prop, property_type; +type mmc_prop, property_type; +type net_dns_prop, property_type; +type net_radio_prop, property_type, core_property_type; +type netd_stable_secret_prop, property_type; +type nfc_prop, property_type, core_property_type; +type overlay_prop, property_type; +type pan_result_prop, property_type, core_property_type; +type persist_debug_prop, property_type, core_property_type; +type persistent_properties_ready_prop, property_type; +type pm_prop, property_type; +type powerctl_prop, property_type, core_property_type; +type radio_prop, property_type, core_property_type; +type restorecon_prop, property_type, core_property_type; +type safemode_prop, property_type; +type serialno_prop, property_type; +type shell_prop, property_type, core_property_type; +type system_boot_reason_prop, property_type; +type system_prop, property_type, core_property_type; +type system_radio_prop, property_type, core_property_type; +type vold_prop, property_type, core_property_type; +type wifi_log_prop, property_type, log_property_type; +type wifi_prop, property_type; + +# Properties for whitelisting +type exported_bluetooth_prop, property_type; +type exported_config_prop, property_type; +type exported_dalvik_prop, property_type; +type exported_default_prop, property_type; +type exported_dumpstate_prop, property_type; +type exported_ffs_prop, property_type; +type exported_fingerprint_prop, property_type; +type exported_overlay_prop, property_type; +type exported_pm_prop, property_type; +type exported_radio_prop, property_type; +type exported_system_prop, property_type; +type exported_system_radio_prop, property_type; +type exported_vold_prop, property_type; +type exported_wifi_prop, property_type; +type exported2_config_prop, property_type; +type exported2_default_prop, property_type; +type exported2_radio_prop, property_type; +type exported2_system_prop, property_type; +type exported2_vold_prop, property_type; +type exported3_default_prop, property_type; +type exported3_radio_prop, property_type; +type exported3_system_prop, property_type; +type vendor_default_prop, property_type; + +allow property_type tmpfs:filesystem associate; + +### +### Neverallow rules +### + +# core_property_type should not be used for new properties or +# device specific properties. Properties with this attribute +# are readable to everyone, which is overly broad and should +# be avoided. +# New properties should have appropriate read / write access +# control rules written. + +neverallow * { + core_property_type + -audio_prop + -config_prop + -cppreopt_prop + -dalvik_prop + -debuggerd_prop + -debug_prop + -default_prop + -dhcp_prop + -dumpstate_prop + -ffs_prop + -fingerprint_prop + -logd_prop + -net_radio_prop + -nfc_prop + -pan_result_prop + -persist_debug_prop + -powerctl_prop + -radio_prop + -restorecon_prop + -shell_prop + -system_prop + -system_radio_prop + -vold_prop +}:file no_rw_file_perms; + +compatible_property_only(` +# Prevent properties from being set + neverallow { + domain + -coredomain + -appdomain + -vendor_init + } { + core_property_type + exported_config_prop + exported_dalvik_prop + exported_default_prop + exported_dumpstate_prop + exported_ffs_prop + exported_fingerprint_prop + exported_system_prop + exported_system_radio_prop + exported_vold_prop + exported2_config_prop + exported2_default_prop + exported2_system_prop + exported2_vold_prop + exported3_default_prop + exported3_system_prop + -nfc_prop + -powerctl_prop + -radio_prop + }:property_service set; + + neverallow { + domain + -coredomain + -appdomain + -hal_nfc_server + -vendor_init + } { + nfc_prop + }:property_service set; + + neverallow { + domain + -coredomain + -appdomain + -hal_telephony_server + -vendor_init + } { + exported_radio_prop + exported2_radio_prop + exported3_radio_prop + radio_prop + }:property_service set; + +# Prevent properties from being read + neverallow { + domain + -coredomain + -appdomain + -vendor_init + } { + core_property_type + exported_dalvik_prop + exported_ffs_prop + exported_system_radio_prop + exported2_config_prop + exported2_system_prop + exported2_vold_prop + exported3_default_prop + exported3_system_prop + -debug_prop + -logd_prop + -nfc_prop + -powerctl_prop + -radio_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -appdomain + -hal_nfc_server + -vendor_init + } { + nfc_prop + }:file no_rw_file_perms; + + neverallow { + domain + -coredomain + -appdomain + -hal_telephony_server + -vendor_init + } { + radio_prop + }:file no_rw_file_perms; +') diff --git a/prebuilts/api/28.0/public/property_contexts b/prebuilts/api/28.0/public/property_contexts new file mode 100644 index 000000000..0156a47bb --- /dev/null +++ b/prebuilts/api/28.0/public/property_contexts @@ -0,0 +1,294 @@ +# vendor-init-readable +persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact int + +# vendor-init-settable +af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int +camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool +camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int +dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int +dalvik.vm.dexopt.secondary u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.execution-mode u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.extra-opts u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.gctype u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.heapgrowthlimit u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.heapmaxfree u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.heapminfree u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.heapsize u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.heapstartsize u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.heaptargetutilization u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int +dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int +dalvik.vm.isa.arm.features u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.arm.variant u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.arm64.features u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.arm64.variant u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.mips.features u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.mips.variant u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.mips64.features u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.mips64.variant u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.unknown.features u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.unknown.variant u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.x86.features u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.x86.variant u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.x86_64.features u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.isa.x86_64.variant u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.jitinitialsize u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.jitmaxsize u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.jitprithreadweight u:object_r:exported_dalvik_prop:s0 exact int +dalvik.vm.jitthreshold u:object_r:exported_dalvik_prop:s0 exact int +dalvik.vm.jittransitionweight u:object_r:exported_dalvik_prop:s0 exact int +dalvik.vm.jniopts u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.lockprof.threshold u:object_r:exported_dalvik_prop:s0 exact int +dalvik.vm.method-trace u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int +dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.stack-trace-dir u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int +drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool +keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool +media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool +persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string +persist.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool +persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string +persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int +persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int +persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int +persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string +persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string +persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string +persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact bool +persist.vendor.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool +pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string +ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool +ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string +ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string +ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string +ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int +ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool +ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool +ro.com.google.clientidbase u:object_r:exported3_default_prop:s0 exact string +ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string +ro.config.media_vol_steps u:object_r:exported2_config_prop:s0 exact int +ro.config.notification_sound u:object_r:exported2_config_prop:s0 exact string +ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string +ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string +ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int +ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string +ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string +ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool +ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string +ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int +ro.opengles.version u:object_r:exported3_default_prop:s0 exact int +ro.radio.noril u:object_r:exported3_default_prop:s0 exact string +ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string +ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int +ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool +ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool +ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int +ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int +ro.url.legal u:object_r:exported3_default_prop:s0 exact string +ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string +ro.zygote u:object_r:exported3_default_prop:s0 exact string +sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string +sys.usb.controller u:object_r:exported2_system_prop:s0 exact string +sys.usb.ffs.max_read u:object_r:exported_ffs_prop:s0 exact int +sys.usb.ffs.max_write u:object_r:exported_ffs_prop:s0 exact int +sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int +sys.usb.state u:object_r:exported2_system_prop:s0 exact string +telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int +tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int +vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int +wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded + +# vendor-init-readable|vendor-init-actionable +dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool +persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string +sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool +sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int + +# vendor-init-settable|vendor-init-actionable +persist.sys.zram_enabled u:object_r:exported2_system_prop:s0 exact bool +sys.usb.config u:object_r:exported_system_radio_prop:s0 exact string +sys.usb.configfs u:object_r:exported_system_radio_prop:s0 exact int + +# public-readable +aac_drc_boost u:object_r:exported2_default_prop:s0 exact int +aac_drc_cut u:object_r:exported2_default_prop:s0 exact int +aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int +aac_drc_heavy u:object_r:exported2_default_prop:s0 exact int +aac_drc_reference_level u:object_r:exported2_default_prop:s0 exact int +drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool +dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool +hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool +init.svc.tombstoned u:object_r:exported2_default_prop:s0 exact string +libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string +libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string +libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string +persist.sys.timezone u:object_r:exported_system_prop:s0 exact string +ro.adb.secure u:object_r:exported_secure_prop:s0 exact int +ro.arch u:object_r:exported2_default_prop:s0 exact string +ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool +ro.baseband u:object_r:exported2_default_prop:s0 exact string +ro.boot.avb_version u:object_r:exported2_default_prop:s0 exact string +ro.boot.baseband u:object_r:exported2_default_prop:s0 exact string +ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string +ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string +ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string +ro.boot.console u:object_r:exported2_default_prop:s0 exact string +ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string +ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string +ro.boot.hardware.sku u:object_r:exported2_default_prop:s0 exact string +ro.boot.keymaster u:object_r:exported2_default_prop:s0 exact string +ro.boot.mode u:object_r:exported2_default_prop:s0 exact string +ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string +ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string +ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string +ro.bootimage.build.date u:object_r:exported2_default_prop:s0 exact string +ro.bootimage.build.date.utc u:object_r:exported2_default_prop:s0 exact int +ro.bootimage.build.fingerprint u:object_r:exported2_default_prop:s0 exact string +ro.bootloader u:object_r:exported2_default_prop:s0 exact string +ro.build.date u:object_r:exported2_default_prop:s0 exact string +ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int +ro.build.description u:object_r:exported2_default_prop:s0 exact string +ro.build.display.id u:object_r:exported2_default_prop:s0 exact string +ro.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string +ro.build.host u:object_r:exported2_default_prop:s0 exact string +ro.build.id u:object_r:exported2_default_prop:s0 exact string +ro.build.product u:object_r:exported2_default_prop:s0 exact string +ro.build.system_root_image u:object_r:exported2_default_prop:s0 exact bool +ro.build.tags u:object_r:exported2_default_prop:s0 exact string +ro.build.user u:object_r:exported2_default_prop:s0 exact string +ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string +ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string +ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string +ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int +ro.build.version.release u:object_r:exported2_default_prop:s0 exact string +ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int +ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string +ro.crypto.state u:object_r:exported_vold_prop:s0 exact string +ro.crypto.type u:object_r:exported_vold_prop:s0 exact string +ro.debuggable u:object_r:exported2_default_prop:s0 exact int +ro.hardware u:object_r:exported2_default_prop:s0 exact string +ro.product.brand u:object_r:exported2_default_prop:s0 exact string +ro.product.cpu.abi u:object_r:exported2_default_prop:s0 exact string +ro.product.cpu.abilist u:object_r:exported2_default_prop:s0 exact string +ro.product.device u:object_r:exported2_default_prop:s0 exact string +ro.product.manufacturer u:object_r:exported2_default_prop:s0 exact string +ro.product.model u:object_r:exported2_default_prop:s0 exact string +ro.product.name u:object_r:exported2_default_prop:s0 exact string +ro.property_service.version u:object_r:exported2_default_prop:s0 exact int +ro.revision u:object_r:exported2_default_prop:s0 exact string +ro.secure u:object_r:exported_secure_prop:s0 exact int +service.bootanim.exit u:object_r:exported_system_prop:s0 exact int +sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int +vold.decrypt u:object_r:exported_vold_prop:s0 exact string + +# vendor-init-settable|public-readable +aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int +aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int +aaudio.mixer_bursts u:object_r:exported_default_prop:s0 exact int +aaudio.mmap_exclusive_policy u:object_r:exported_default_prop:s0 exact int +aaudio.mmap_policy u:object_r:exported_default_prop:s0 exact int +aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int +gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string +media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool +persist.rcs.supported u:object_r:exported_default_prop:s0 exact int +rcs.publish.status u:object_r:exported_radio_prop:s0 exact string +ro.board.platform u:object_r:exported_default_prop:s0 exact string +ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int +ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string +ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string +ro.carrier u:object_r:exported_default_prop:s0 exact string +ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool +ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int +ro.frp.pst u:object_r:exported_default_prop:s0 exact string +ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string +ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string +ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string +ro.hardware.camera u:object_r:exported_default_prop:s0 exact string +ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string +ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string +ro.hardware.egl u:object_r:exported_default_prop:s0 exact string +ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string +ro.hardware.flp u:object_r:exported_default_prop:s0 exact string +ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string +ro.hardware.gps u:object_r:exported_default_prop:s0 exact string +ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string +ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string +ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string +ro.hardware.input u:object_r:exported_default_prop:s0 exact string +ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string +ro.hardware.lights u:object_r:exported_default_prop:s0 exact string +ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string +ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string +ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string +ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string +ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string +ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string +ro.hardware.power u:object_r:exported_default_prop:s0 exact string +ro.hardware.radio u:object_r:exported_default_prop:s0 exact string +ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string +ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string +ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string +ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string +ro.hardware.type u:object_r:exported_default_prop:s0 exact string +ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string +ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string +ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string +ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string +ro.kernel.qemu u:object_r:exported_default_prop:s0 exact int +ro.kernel.qemu.gles u:object_r:exported_default_prop:s0 exact int +ro.odm.build.date u:object_r:exported_default_prop:s0 exact string +ro.odm.build.date.utc u:object_r:exported_default_prop:s0 exact int +ro.odm.build.fingerprint u:object_r:exported_default_prop:s0 exact string +ro.product.board u:object_r:exported_default_prop:s0 exact string +ro.product.cpu.abilist32 u:object_r:exported_default_prop:s0 exact string +ro.product.cpu.abilist64 u:object_r:exported_default_prop:s0 exact string +ro.product.first_api_level u:object_r:exported_default_prop:s0 exact int +ro.product.odm.brand u:object_r:exported_default_prop:s0 exact string +ro.product.odm.device u:object_r:exported_default_prop:s0 exact string +ro.product.odm.manufacturer u:object_r:exported_default_prop:s0 exact string +ro.product.odm.model u:object_r:exported_default_prop:s0 exact string +ro.product.odm.name u:object_r:exported_default_prop:s0 exact string +ro.product.vendor.brand u:object_r:exported_default_prop:s0 exact string +ro.product.vendor.device u:object_r:exported_default_prop:s0 exact string +ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string +ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string +ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string +ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string +ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int +ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string +ro.vndk.version u:object_r:exported_default_prop:s0 exact string +ro.vts.coverage u:object_r:exported_default_prop:s0 exact int +wifi.direct.interface u:object_r:exported_default_prop:s0 exact string +wifi.interface u:object_r:exported_default_prop:s0 exact string + +# vendor-init-actionable|public-readable +ro.boot.revision u:object_r:exported2_default_prop:s0 exact string +ro.bootmode u:object_r:exported2_default_prop:s0 exact string +ro.build.type u:object_r:exported2_default_prop:s0 exact string +sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string diff --git a/prebuilts/api/28.0/public/racoon.te b/prebuilts/api/28.0/public/racoon.te new file mode 100644 index 000000000..c759217a0 --- /dev/null +++ b/prebuilts/api/28.0/public/racoon.te @@ -0,0 +1,33 @@ +# IKE key management daemon +type racoon, domain; +type racoon_exec, exec_type, file_type; + +typeattribute racoon mlstrustedsubject; + +net_domain(racoon) +allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK }; + +binder_use(racoon) + +allow racoon tun_device:chr_file r_file_perms; +allow racoon cgroup:dir { add_name create }; +allow racoon kernel:system module_request; + +allow racoon self:key_socket create_socket_perms_no_ioctl; +allow racoon self:tun_socket create_socket_perms_no_ioctl; +allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw }; + +# XXX: should we give ip-up-vpn its own label (currently racoon domain) +allow racoon system_file:file rx_file_perms; +not_full_treble(`allow racoon vendor_file:file rx_file_perms;') +allow racoon vpn_data_file:file create_file_perms; +allow racoon vpn_data_file:dir w_dir_perms; + +use_keystore(racoon) + +# Racoon (VPN) has a restricted set of permissions from the default. +allow racoon keystore:keystore_key { + get + sign + verify +}; diff --git a/prebuilts/api/28.0/public/radio.te b/prebuilts/api/28.0/public/radio.te new file mode 100644 index 000000000..8fb5ad638 --- /dev/null +++ b/prebuilts/api/28.0/public/radio.te @@ -0,0 +1,41 @@ +# phone subsystem +type radio, domain, mlstrustedsubject; + +net_domain(radio) +bluetooth_domain(radio) +binder_service(radio) + +# Talks to hal_telephony_server via the rild socket only for devices without full treble +not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)') + +# Data file accesses. +allow radio radio_data_file:dir create_dir_perms; +allow radio radio_data_file:notdevfile_class_set create_file_perms; + +allow radio alarm_device:chr_file rw_file_perms; + +allow radio net_data_file:dir search; +allow radio net_data_file:file r_file_perms; + +# Property service +set_prop(radio, radio_prop) +set_prop(radio, exported_radio_prop) +set_prop(radio, exported2_radio_prop) +set_prop(radio, exported3_radio_prop) +set_prop(radio, net_radio_prop) + +# ctl interface +set_prop(radio, ctl_rildaemon_prop) + +add_service(radio, radio_service) +allow radio audioserver_service:service_manager find; +allow radio cameraserver_service:service_manager find; +allow radio drmserver_service:service_manager find; +allow radio mediaserver_service:service_manager find; +allow radio nfc_service:service_manager find; +allow radio app_api_service:service_manager find; +allow radio system_api_service:service_manager find; + +# Perform HwBinder IPC. +hwbinder_use(radio) +hal_client_domain(radio, hal_telephony) diff --git a/prebuilts/api/28.0/public/recovery.te b/prebuilts/api/28.0/public/recovery.te new file mode 100644 index 000000000..57ad2028b --- /dev/null +++ b/prebuilts/api/28.0/public/recovery.te @@ -0,0 +1,161 @@ +# recovery console (used in recovery init.rc for /sbin/recovery) + +# Declare the domain unconditionally so we can always reference it +# in neverallow rules. +type recovery, domain; + +# But the allow rules are only included in the recovery policy. +# Otherwise recovery is only allowed the domain rules. +recovery_only(` + # Allow recovery to perform an update as update_engine would do. + typeattribute recovery update_engine_common; + # Recovery can only use HALs in passthrough mode + passthrough_hal_client_domain(recovery, hal_bootctl) + + allow recovery self:global_capability_class_set { + chown + dac_override + fowner + setuid + setgid + sys_admin + sys_tty_config + }; + + # Run helpers from / or /system without changing domain. + r_dir_file(recovery, rootfs) + allow recovery rootfs:file execute_no_trans; + allow recovery system_file:file execute_no_trans; + allow recovery toolbox_exec:file rx_file_perms; + + # Mount filesystems. + allow recovery rootfs:dir mounton; + allow recovery fs_type:filesystem ~relabelto; + allow recovery unlabeled:filesystem ~relabelto; + allow recovery contextmount_type:filesystem relabelto; + + # We may be asked to set an SELinux label for a type not known to the + # currently loaded policy. Allow it. + allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto }; + allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto }; + + # Get file contexts + allow recovery file_contexts_file:file r_file_perms; + + # Write to /proc/sys/vm/drop_caches + allow recovery proc_drop_caches:file w_file_perms; + + # Read /proc/swaps + allow recovery proc_swaps:file r_file_perms; + + # Read kernel config through libvintf for OTA matching + allow recovery config_gz:file { open read getattr }; + + # Write to /sys/class/android_usb/android0/enable. + r_dir_file(recovery, sysfs_android_usb) + allow recovery sysfs_android_usb:file w_file_perms; + + # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq. + allow recovery sysfs_devices_system_cpu:file w_file_perms; + + allow recovery sysfs_batteryinfo:file r_file_perms; + + # Read /sysfs/fs/ext4/features + r_dir_file(recovery, sysfs_fs_ext4_features) + + # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to + # control backlight brightness. + allow recovery sysfs_leds:dir r_dir_perms; + allow recovery sysfs_leds:file rw_file_perms; + allow recovery sysfs_leds:lnk_file read; + + allow recovery kernel:system syslog_read; + + # Access /dev/usb-ffs/adb/ep0 + allow recovery functionfs:dir search; + allow recovery functionfs:file rw_file_perms; + + # Access to /sys/fs/selinux/policyvers for compatibility check + allow recovery selinuxfs:file r_file_perms; + + # Required to e.g. wipe userdata/cache. + allow recovery device:dir r_dir_perms; + allow recovery block_device:dir r_dir_perms; + allow recovery dev_type:blk_file rw_file_perms; + + # GUI + allow recovery graphics_device:chr_file rw_file_perms; + allow recovery graphics_device:dir r_dir_perms; + allow recovery input_device:dir r_dir_perms; + allow recovery input_device:chr_file r_file_perms; + allow recovery tty_device:chr_file rw_file_perms; + + # Create /tmp/recovery.log and execute /tmp/update_binary. + allow recovery tmpfs:file { create_file_perms x_file_perms }; + allow recovery tmpfs:dir create_dir_perms; + + # Manage files on /cache and /cache/recovery + allow recovery { cache_file cache_recovery_file }:dir create_dir_perms; + allow recovery { cache_file cache_recovery_file }:file create_file_perms; + + # Read /sys/class/thermal/*/temp for thermal info. + r_dir_file(recovery, sysfs_thermal) + + # Read files on /oem. + r_dir_file(recovery, oemfs); + + # Reboot the device + set_prop(recovery, powerctl_prop) + + # Start/stop adbd via ctl.start adbd + set_prop(recovery, ctl_default_prop) + + # Read serial number of the device from system properties + get_prop(recovery, serialno_prop) + + # Set sys.usb.ffs.ready when starting minadbd for sideload. + set_prop(recovery, ffs_prop) + set_prop(recovery, exported_ffs_prop) + + # Read ro.boot.bootreason + get_prop(recovery, bootloader_boot_reason_prop) + + # Use setfscreatecon() to label files for OTA updates. + allow recovery self:process setfscreate; + + # Allow recovery to create a fuse filesystem, and read files from it. + allow recovery fuse_device:chr_file rw_file_perms; + allow recovery fuse:dir r_dir_perms; + allow recovery fuse:file r_file_perms; + + wakelock_use(recovery) + + # This line seems suspect, as it should not really need to + # set scheduling parameters for a kernel domain task. + allow recovery kernel:process setsched; +') + +### +### neverallow rules +### + +# Recovery should never touch /data. +# +# In particular, if /data is encrypted, it is not accessible +# to recovery anyway. +# +# For now, we only enforce write/execute restrictions, as domain.te +# contains a number of read-only rules that apply to all +# domains, including recovery. +# +# TODO: tighten this up further. +neverallow recovery { + data_file_type + -cache_file + -cache_recovery_file +}:file { no_w_file_perms no_x_file_perms }; +neverallow recovery { + data_file_type + -cache_file + -cache_recovery_file +}:dir no_w_dir_perms; diff --git a/prebuilts/api/28.0/public/recovery_persist.te b/prebuilts/api/28.0/public/recovery_persist.te new file mode 100644 index 000000000..091d3001a --- /dev/null +++ b/prebuilts/api/28.0/public/recovery_persist.te @@ -0,0 +1,27 @@ +# android recovery persistent log manager +type recovery_persist, domain; +type recovery_persist_exec, exec_type, file_type; + +allow recovery_persist pstorefs:dir search; +allow recovery_persist pstorefs:file r_file_perms; + +allow recovery_persist recovery_data_file:file create_file_perms; +allow recovery_persist recovery_data_file:dir create_dir_perms; + +### +### Neverallow rules +### +### recovery_persist should NEVER do any of this + +# Block device access. +neverallow recovery_persist dev_type:blk_file { read write }; + +# ptrace any other app +neverallow recovery_persist domain:process ptrace; + +# Write to /system. +neverallow recovery_persist system_file:dir_file_class_set write; + +# Write to files in /data/data +neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write; + diff --git a/prebuilts/api/28.0/public/recovery_refresh.te b/prebuilts/api/28.0/public/recovery_refresh.te new file mode 100644 index 000000000..602ed51d7 --- /dev/null +++ b/prebuilts/api/28.0/public/recovery_refresh.te @@ -0,0 +1,24 @@ +# android recovery refresh log manager +type recovery_refresh, domain; +type recovery_refresh_exec, exec_type, file_type; + +allow recovery_refresh pstorefs:dir search; +allow recovery_refresh pstorefs:file r_file_perms; +# NB: domain inherits write_logd which hands us write to pmsg_device + +### +### Neverallow rules +### +### recovery_refresh should NEVER do any of this + +# Block device access. +neverallow recovery_refresh dev_type:blk_file { read write }; + +# ptrace any other app +neverallow recovery_refresh domain:process ptrace; + +# Write to /system. +neverallow recovery_refresh system_file:dir_file_class_set write; + +# Write to files in /data/data or system files on /data +neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write; diff --git a/prebuilts/api/28.0/public/roles b/prebuilts/api/28.0/public/roles new file mode 100644 index 000000000..ca9293439 --- /dev/null +++ b/prebuilts/api/28.0/public/roles @@ -0,0 +1 @@ +role r types domain; diff --git a/prebuilts/api/28.0/public/runas.te b/prebuilts/api/28.0/public/runas.te new file mode 100644 index 000000000..053a87f6b --- /dev/null +++ b/prebuilts/api/28.0/public/runas.te @@ -0,0 +1,42 @@ +type runas, domain, mlstrustedsubject; +type runas_exec, exec_type, file_type; + +allow runas adbd:fd use; +allow runas adbd:process sigchld; +allow runas adbd:unix_stream_socket { read write }; +allow runas shell:fd use; +allow runas shell:fifo_file { read write }; +allow runas shell:unix_stream_socket { read write }; +allow runas devpts:chr_file { read write ioctl }; +allow runas shell_data_file:file { read write }; + +# run-as reads package information. +allow runas system_data_file:file r_file_perms; +allow runas system_data_file:lnk_file getattr; + +# The app's data dir may be accessed through a symlink. +allow runas system_data_file:lnk_file read; + +# run-as checks and changes to the app data dir. +dontaudit runas self:global_capability_class_set dac_override; +allow runas app_data_file:dir { getattr search }; + +# run-as switches to the app UID/GID. +allow runas self:global_capability_class_set { setuid setgid }; + +# run-as switches to the app security context. +selinux_check_context(runas) # validate context +allow runas self:process setcurrent; +allow runas non_system_app_set:process dyntransition; # setcon + +# runas/libselinux needs access to seapp_contexts_file to +# determine which domain to transition to. +allow runas seapp_contexts_file:file r_file_perms; + +### +### neverallow rules +### + +# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID +neverallow runas self:global_capability_class_set ~{ setuid setgid }; +neverallow runas self:global_capability2_class_set *; diff --git a/prebuilts/api/28.0/public/sdcardd.te b/prebuilts/api/28.0/public/sdcardd.te new file mode 100644 index 000000000..4a88f54d0 --- /dev/null +++ b/prebuilts/api/28.0/public/sdcardd.te @@ -0,0 +1,43 @@ +type sdcardd, domain; +type sdcardd_exec, exec_type, file_type; + +allow sdcardd cgroup:dir create_dir_perms; +allow sdcardd fuse_device:chr_file rw_file_perms; +allow sdcardd rootfs:dir mounton; # TODO: deprecated in M +allow sdcardd sdcardfs:filesystem remount; +allow sdcardd tmpfs:dir r_dir_perms; +allow sdcardd mnt_media_rw_file:dir r_dir_perms; +allow sdcardd storage_file:dir search; +allow sdcardd storage_stub_file:dir { search mounton }; +allow sdcardd sdcard_type:filesystem { mount unmount }; +allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource }; + +allow sdcardd sdcard_type:dir create_dir_perms; +allow sdcardd sdcard_type:file create_file_perms; + +allow sdcardd media_rw_data_file:dir create_dir_perms; +allow sdcardd media_rw_data_file:file create_file_perms; + +# Read /data/system/packages.list. +allow sdcardd system_data_file:file r_file_perms; + +# Read /data/.layout_version +allow sdcardd install_data_file:file r_file_perms; + +# Allow stdin/out back to vold +allow sdcardd vold:fd use; +allow sdcardd vold:fifo_file { read write getattr }; + +# Allow running on top of expanded storage +allow sdcardd mnt_expand_file:dir search; + +# access /proc/filesystems +allow sdcardd proc_filesystems:file r_file_perms; + +### +### neverallow rules +### + +# The sdcard daemon should no longer be started from init +neverallow init sdcardd_exec:file execute; +neverallow init sdcardd:process { transition dyntransition }; diff --git a/prebuilts/api/28.0/public/secure_element.te b/prebuilts/api/28.0/public/secure_element.te new file mode 100644 index 000000000..4ce6714f6 --- /dev/null +++ b/prebuilts/api/28.0/public/secure_element.te @@ -0,0 +1,2 @@ +# secure_element subsystem +type secure_element, domain; diff --git a/prebuilts/api/28.0/public/service.te b/prebuilts/api/28.0/public/service.te new file mode 100644 index 000000000..3526049f2 --- /dev/null +++ b/prebuilts/api/28.0/public/service.te @@ -0,0 +1,161 @@ +type audioserver_service, service_manager_type; +type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type; +type bluetooth_service, service_manager_type; +type cameraserver_service, service_manager_type; +type default_android_service, service_manager_type; +type drmserver_service, service_manager_type; +type dumpstate_service, service_manager_type; +type fingerprintd_service, service_manager_type; +type hal_fingerprint_service, service_manager_type; +type gatekeeper_service, app_api_service, service_manager_type; +type gpu_service, service_manager_type; +type inputflinger_service, service_manager_type; +type incident_service, service_manager_type; +type installd_service, service_manager_type; +type keystore_service, service_manager_type; +type mediaserver_service, service_manager_type; +type mediametrics_service, service_manager_type; +type mediaextractor_service, service_manager_type; +type mediaextractor_update_service, service_manager_type; +type mediacodec_service, service_manager_type; +type mediadrmserver_service, service_manager_type; +type netd_service, service_manager_type; +type nfc_service, service_manager_type; +type perfprofd_service, service_manager_type; +type radio_service, service_manager_type; +type secure_element_service, service_manager_type; +type storaged_service, service_manager_type; +type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type; +type system_app_service, service_manager_type; +type thermal_service, service_manager_type; +type update_engine_service, service_manager_type; +type virtual_touchpad_service, service_manager_type; +type vold_service, service_manager_type; +type vr_hwc_service, service_manager_type; + +# system_server_services broken down +type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type battery_service, system_server_service, service_manager_type; +type binder_calls_stats_service, system_server_service, service_manager_type; +type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type broadcastradio_service, system_server_service, service_manager_type; +type cameraproxy_service, system_server_service, service_manager_type; +type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type contexthub_service, app_api_service, system_server_service, service_manager_type; +type crossprofileapps_service, app_api_service, system_server_service, service_manager_type; +type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type commontime_management_service, system_server_service, service_manager_type; +type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled +# with EMMA_INSTRUMENT=true. We should consider locking this down in the future. +type coverage_service, system_server_service, service_manager_type; +type cpuinfo_service, system_api_service, system_server_service, service_manager_type; +type dbinfo_service, system_api_service, system_server_service, service_manager_type; +type device_policy_service, app_api_service, system_server_service, service_manager_type; +type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type devicestoragemonitor_service, system_server_service, service_manager_type; +type diskstats_service, system_api_service, system_server_service, service_manager_type; +type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type netd_listener_service, system_server_service, service_manager_type; +type network_watchlist_service, system_server_service, service_manager_type; +type DockObserver_service, system_server_service, service_manager_type; +type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type lowpan_service, system_api_service, system_server_service, service_manager_type; +type ethernet_service, app_api_service, system_server_service, service_manager_type; +type fingerprint_service, app_api_service, system_server_service, service_manager_type; +type gfxinfo_service, system_api_service, system_server_service, service_manager_type; +type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type hardware_service, system_server_service, service_manager_type; +type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type hdmi_control_service, system_api_service, system_server_service, service_manager_type; +type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type lock_settings_service, system_api_service, system_server_service, service_manager_type; +type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type meminfo_service, system_api_service, system_server_service, service_manager_type; +type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type network_score_service, system_api_service, system_server_service, service_manager_type; +type network_time_update_service, system_server_service, service_manager_type; +type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type oem_lock_service, system_api_service, system_server_service, service_manager_type; +type otadexopt_service, system_server_service, service_manager_type; +type overlay_service, system_api_service, system_server_service, service_manager_type; +type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type package_native_service, system_server_service, service_manager_type; +type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type persistent_data_block_service, system_api_service, system_server_service, service_manager_type; +type pinner_service, system_server_service, service_manager_type; +type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type processinfo_service, system_server_service, service_manager_type; +type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type recovery_service, system_server_service, service_manager_type; +type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type samplingprofiler_service, system_server_service, service_manager_type; +type scheduling_policy_service, system_server_service, service_manager_type; +type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type; +type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type serial_service, system_api_service, system_server_service, service_manager_type; +type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type shortcut_service, app_api_service, system_server_service, service_manager_type; +type slice_service, app_api_service, system_server_service, service_manager_type; +type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type system_update_service, system_server_service, service_manager_type; +type task_service, system_server_service, service_manager_type; +type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type timezone_service, system_server_service, service_manager_type; +type trust_service, app_api_service, system_server_service, service_manager_type; +type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type updatelock_service, system_api_service, system_server_service, service_manager_type; +type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type usb_service, app_api_service, system_server_service, service_manager_type; +type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type vr_manager_service, system_server_service, service_manager_type; +type wallpaper_service, app_api_service, system_server_service, service_manager_type; +type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type wifip2p_service, app_api_service, system_server_service, service_manager_type; +type wifiscanner_service, system_api_service, system_server_service, service_manager_type; +type wifi_service, app_api_service, system_server_service, service_manager_type; +type wificond_service, service_manager_type; +type wifiaware_service, app_api_service, system_server_service, service_manager_type; +type window_service, system_api_service, system_server_service, service_manager_type; +type wpantund_service, system_api_service, service_manager_type; diff --git a/prebuilts/api/28.0/public/servicemanager.te b/prebuilts/api/28.0/public/servicemanager.te new file mode 100644 index 000000000..87e3a2217 --- /dev/null +++ b/prebuilts/api/28.0/public/servicemanager.te @@ -0,0 +1,25 @@ +# servicemanager - the Binder context manager +type servicemanager, domain, mlstrustedsubject; +type servicemanager_exec, exec_type, file_type; + +# Note that we do not use the binder_* macros here. +# servicemanager is unique in that it only provides +# name service (aka context manager) for Binder. +# As such, it only ever receives and transfers other references +# created by other domains. It never passes its own references +# or initiates a Binder IPC. +allow servicemanager self:binder set_context_mgr; +allow servicemanager { + domain + -init + -vendor_init + -hwservicemanager + -vndservicemanager +}:binder transfer; + +allow servicemanager service_contexts_file:file r_file_perms; +# nonplat_service_contexts only accessible on non full-treble devices +not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;') + +# Check SELinux permissions. +selinux_check_access(servicemanager) diff --git a/prebuilts/api/28.0/public/sgdisk.te b/prebuilts/api/28.0/public/sgdisk.te new file mode 100644 index 000000000..ca3096cef --- /dev/null +++ b/prebuilts/api/28.0/public/sgdisk.te @@ -0,0 +1,22 @@ +# sgdisk called from vold +type sgdisk, domain; +type sgdisk_exec, exec_type, file_type; + +# Allowed to read/write low-level partition tables +allow sgdisk block_device:dir search; +allow sgdisk vold_device:blk_file rw_file_perms; + +# Inherit and use pty created by android_fork_execvp() +allow sgdisk devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow sgdisk vold:fd use; +allow sgdisk vold:fifo_file { read write getattr }; + +# Used to probe kernel to reload partition tables +allow sgdisk self:global_capability_class_set sys_admin; + +# Only allow entry from vold +neverallow { domain -vold } sgdisk:process transition; +neverallow * sgdisk:process dyntransition; +neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; diff --git a/prebuilts/api/28.0/public/shared_relro.te b/prebuilts/api/28.0/public/shared_relro.te new file mode 100644 index 000000000..8fe1fead5 --- /dev/null +++ b/prebuilts/api/28.0/public/shared_relro.te @@ -0,0 +1,10 @@ +# Process which creates/updates shared RELRO files to be used by other apps. +type shared_relro, domain; + +# Grant write access to the shared relro files/directory. +allow shared_relro shared_relro_file:dir rw_dir_perms; +allow shared_relro shared_relro_file:file create_file_perms; + +# Needs to contact the "webviewupdate" and "activity" services +allow shared_relro activity_service:service_manager find; +allow shared_relro webviewupdate_service:service_manager find; diff --git a/prebuilts/api/28.0/public/shell.te b/prebuilts/api/28.0/public/shell.te new file mode 100644 index 000000000..5e2745be4 --- /dev/null +++ b/prebuilts/api/28.0/public/shell.te @@ -0,0 +1,220 @@ +# Domain for shell processes spawned by ADB or console service. +type shell, domain, mlstrustedsubject; +type shell_exec, exec_type, file_type; + +# Create and use network sockets. +net_domain(shell) + +# logcat +read_logd(shell) +control_logd(shell) +# logcat -L (directly, or via dumpstate) +allow shell pstorefs:dir search; +allow shell pstorefs:file r_file_perms; + +# Root fs. +allow shell rootfs:dir r_dir_perms; + +# read files in /data/anr +allow shell anr_data_file:dir r_dir_perms; +allow shell anr_data_file:file r_file_perms; + +# Access /data/local/tmp. +allow shell shell_data_file:dir create_dir_perms; +allow shell shell_data_file:file create_file_perms; +allow shell shell_data_file:file rx_file_perms; +allow shell shell_data_file:lnk_file create_file_perms; + +# Read and delete from /data/local/traces. +allow shell trace_data_file:file { r_file_perms unlink }; +allow shell trace_data_file:dir { r_dir_perms remove_name write }; + +# Access /data/misc/profman. +allow shell profman_dump_data_file:dir { search getattr write remove_name }; +allow shell profman_dump_data_file:file { getattr unlink }; + +# Read/execute files in /data/nativetest +userdebug_or_eng(` + allow shell nativetest_data_file:dir r_dir_perms; + allow shell nativetest_data_file:file rx_file_perms; +') + +# adb bugreport +unix_socket_connect(shell, dumpstate, dumpstate) + +allow shell devpts:chr_file rw_file_perms; +allow shell tty_device:chr_file rw_file_perms; +allow shell console_device:chr_file rw_file_perms; +allow shell input_device:dir r_dir_perms; +allow shell input_device:chr_file rw_file_perms; +r_dir_file(shell, system_file) +allow shell system_file:file x_file_perms; +allow shell toolbox_exec:file rx_file_perms; +allow shell tzdatacheck_exec:file rx_file_perms; +allow shell shell_exec:file rx_file_perms; +allow shell zygote_exec:file rx_file_perms; + +r_dir_file(shell, apk_data_file) + +# Set properties. +set_prop(shell, shell_prop) +set_prop(shell, ctl_bugreport_prop) +set_prop(shell, ctl_dumpstate_prop) +set_prop(shell, dumpstate_prop) +set_prop(shell, exported_dumpstate_prop) +set_prop(shell, debug_prop) +set_prop(shell, powerctl_prop) +set_prop(shell, log_tag_prop) +set_prop(shell, wifi_log_prop) +# adjust is_loggable properties +userdebug_or_eng(`set_prop(shell, log_prop)') +# logpersist script +userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') + +userdebug_or_eng(` + # "systrace --boot" support - allow boottrace service to run + allow shell boottrace_data_file:dir rw_dir_perms; + allow shell boottrace_data_file:file create_file_perms; + set_prop(shell, persist_debug_prop) +') + +# Read device's serial number from system properties +get_prop(shell, serialno_prop) + +# Read state of logging-related properties +get_prop(shell, device_logging_prop) + +# Read state of boot reason properties +get_prop(shell, bootloader_boot_reason_prop) +get_prop(shell, last_boot_reason_prop) +get_prop(shell, system_boot_reason_prop) + +# allow shell access to services +allow shell servicemanager:service_manager list; +# don't allow shell to access GateKeeper service +# TODO: why is this so broad? Tightening candidate? It needs at list: +# - dumpstate_service (so it can receive dumpstate progress updates) +allow shell { + service_manager_type + -gatekeeper_service + -incident_service + -installd_service + -netd_service + -virtual_touchpad_service + -vold_service + -vr_hwc_service +}:service_manager find; +allow shell dumpstate:binder call; + +# allow shell to get information from hwservicemanager +# for instance, listing hardware services with lshal +hwbinder_use(shell) +allow shell hwservicemanager:hwservice_manager list; + +# allow shell to look through /proc/ for lsmod, ps, top, netstat. +r_dir_file(shell, proc_net) + +allow shell { + proc_asound + proc_filesystems + proc_interrupts + proc_meminfo + proc_modules + proc_pid_max + proc_stat + proc_timer + proc_uptime + proc_version + proc_zoneinfo +}:file r_file_perms; + +# allow listing network interfaces under /sys/class/net. +allow shell sysfs_net:dir r_dir_perms; + +r_dir_file(shell, cgroup) +allow shell domain:dir { search open read getattr }; +allow shell domain:{ file lnk_file } { open read getattr }; + +# statvfs() of /proc and other labeled filesystems +# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs) +allow shell { proc labeledfs }:filesystem getattr; + +# stat() of /dev +allow shell device:dir getattr; + +# allow shell to read /proc/pid/attr/current for ps -Z +allow shell domain:process getattr; + +# Allow pulling the SELinux policy for CTS purposes +allow shell selinuxfs:dir r_dir_perms; +allow shell selinuxfs:file r_file_perms; + +# enable shell domain to read/write files/dirs for bootchart data +# User will creates the start and stop file via adb shell +# and read other files created by init process under /data/bootchart +allow shell bootchart_data_file:dir rw_dir_perms; +allow shell bootchart_data_file:file create_file_perms; + +# Make sure strace works for the non-privileged shell user +allow shell self:process ptrace; + +# allow shell to get battery info +allow shell sysfs:dir r_dir_perms; +allow shell sysfs_batteryinfo:dir r_dir_perms; +allow shell sysfs_batteryinfo:file r_file_perms; + +# Allow access to ion memory allocation device. +allow shell ion_device:chr_file rw_file_perms; + +# +# filesystem test for insecure chr_file's is done +# via a host side test +# +allow shell dev_type:dir r_dir_perms; +allow shell dev_type:chr_file getattr; + +# /dev/fd is a symlink +allow shell proc:lnk_file getattr; + +# +# filesystem test for insucre blk_file's is done +# via hostside test +# +allow shell dev_type:blk_file getattr; + +# read selinux policy files +allow shell file_contexts_file:file r_file_perms; +allow shell property_contexts_file:file r_file_perms; +allow shell seapp_contexts_file:file r_file_perms; +allow shell service_contexts_file:file r_file_perms; +allow shell sepolicy_file:file r_file_perms; + +# Allow shell to start up vendor shell +allow shell vendor_shell_exec:file rx_file_perms; + +### +### Neverallow rules +### + +# Do not allow shell to hard link to any files. +# In particular, if shell hard links to app data +# files, installd will not be able to guarantee the deletion +# of the linked to file. Hard links also contribute to security +# bugs, so we want to ensure the shell user never has this +# capability. +neverallow shell file_type:file link; + +# Do not allow privileged socket ioctl commands +neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; + +# limit shell access to sensitive char drivers to +# only getattr required for host side test. +neverallow shell { + fuse_device + hw_random_device + kmem_device + port_device +}:chr_file ~getattr; + +# Limit shell to only getattr on blk devices for host side tests. +neverallow shell dev_type:blk_file ~getattr; diff --git a/prebuilts/api/28.0/public/slideshow.te b/prebuilts/api/28.0/public/slideshow.te new file mode 100644 index 000000000..10fbbb852 --- /dev/null +++ b/prebuilts/api/28.0/public/slideshow.te @@ -0,0 +1,14 @@ +# slideshow seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type slideshow, domain; + +allow slideshow kmsg_device:chr_file rw_file_perms; +wakelock_use(slideshow) +allow slideshow device:dir r_dir_perms; +allow slideshow self:global_capability_class_set sys_tty_config; +allow slideshow graphics_device:dir r_dir_perms; +allow slideshow graphics_device:chr_file rw_file_perms; +allow slideshow input_device:dir r_dir_perms; +allow slideshow input_device:chr_file r_file_perms; +allow slideshow tty_device:chr_file rw_file_perms; + diff --git a/prebuilts/api/28.0/public/su.te b/prebuilts/api/28.0/public/su.te new file mode 100644 index 000000000..031294548 --- /dev/null +++ b/prebuilts/api/28.0/public/su.te @@ -0,0 +1,100 @@ +# All types must be defined regardless of build variant to ensure +# policy compilation succeeds with userdebug/user combination at boot +type su, domain; + +# File types must be defined for file_contexts. +type su_exec, exec_type, file_type; + +userdebug_or_eng(` + # Domain used for su processes, as well as for adbd and adb shell + # after performing an adb root command. The domain definition is + # wrapped to ensure that it does not exist at all on -user builds. + typeattribute su mlstrustedsubject; + + # Add su to various domains + net_domain(su) + + # grant su access to vndbinder + vndbinder_use(su) + + dontaudit su self:capability_class_set *; + dontaudit su kernel:security *; + dontaudit su kernel:system *; + dontaudit su self:memprotect *; + dontaudit su domain:process *; + dontaudit su domain:fd *; + dontaudit su domain:dir *; + dontaudit su domain:lnk_file *; + dontaudit su domain:{ fifo_file file } *; + dontaudit su domain:socket_class_set *; + dontaudit su domain:ipc_class_set *; + dontaudit su domain:key *; + dontaudit su fs_type:filesystem *; + dontaudit su {fs_type dev_type file_type}:dir_file_class_set *; + dontaudit su node_type:node *; + dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *; + dontaudit su netif_type:netif *; + dontaudit su port_type:socket_class_set *; + dontaudit su port_type:{ tcp_socket dccp_socket } *; + dontaudit su domain:peer *; + dontaudit su domain:binder *; + dontaudit su property_type:property_service *; + dontaudit su property_type:file *; + dontaudit su service_manager_type:service_manager *; + dontaudit su hwservice_manager_type:hwservice_manager *; + dontaudit su vndservice_manager_type:service_manager *; + dontaudit su servicemanager:service_manager list; + dontaudit su hwservicemanager:hwservice_manager list; + dontaudit su vndservicemanager:service_manager list; + dontaudit su keystore:keystore_key *; + dontaudit su domain:drmservice *; + dontaudit su unlabeled:filesystem *; + dontaudit su postinstall_file:filesystem *; + + # VTS tests run in the permissive su domain on debug builds, but the HALs + # being tested run in enforcing mode. Because hal_foo_server is enforcing + # su needs to be declared as hal_foo_client to grant hal_foo_server + # permission to interact with it. + typeattribute su halclientdomain; + typeattribute su hal_allocator_client; + typeattribute su hal_audio_client; + typeattribute su hal_authsecret_client; + typeattribute su hal_bluetooth_client; + typeattribute su hal_bootctl_client; + typeattribute su hal_camera_client; + typeattribute su hal_configstore_client; + typeattribute su hal_confirmationui_client; + typeattribute su hal_contexthub_client; + typeattribute su hal_drm_client; + typeattribute su hal_cas_client; + typeattribute su hal_dumpstate_client; + typeattribute su hal_fingerprint_client; + typeattribute su hal_gatekeeper_client; + typeattribute su hal_gnss_client; + typeattribute su hal_graphics_allocator_client; + typeattribute su hal_graphics_composer_client; + typeattribute su hal_health_client; + typeattribute su hal_ir_client; + typeattribute su hal_keymaster_client; + typeattribute su hal_light_client; + typeattribute su hal_memtrack_client; + typeattribute su hal_neuralnetworks_client; + typeattribute su hal_nfc_client; + typeattribute su hal_oemlock_client; + typeattribute su hal_power_client; + typeattribute su hal_secure_element_client; + typeattribute su hal_sensors_client; + typeattribute su hal_telephony_client; + typeattribute su hal_tetheroffload_client; + typeattribute su hal_thermal_client; + typeattribute su hal_tv_cec_client; + typeattribute su hal_tv_input_client; + typeattribute su hal_usb_client; + typeattribute su hal_vibrator_client; + typeattribute su hal_vr_client; + typeattribute su hal_weaver_client; + typeattribute su hal_wifi_client; + typeattribute su hal_wifi_hostapd_client; + typeattribute su hal_wifi_offload_client; + typeattribute su hal_wifi_supplicant_client; +') diff --git a/prebuilts/api/28.0/public/surfaceflinger.te b/prebuilts/api/28.0/public/surfaceflinger.te new file mode 100644 index 000000000..ae00287d8 --- /dev/null +++ b/prebuilts/api/28.0/public/surfaceflinger.te @@ -0,0 +1,2 @@ +# surfaceflinger - display compositor service +type surfaceflinger, domain; diff --git a/prebuilts/api/28.0/public/system_app.te b/prebuilts/api/28.0/public/system_app.te new file mode 100644 index 000000000..023058ee0 --- /dev/null +++ b/prebuilts/api/28.0/public/system_app.te @@ -0,0 +1,7 @@ +### +### Apps that run with the system UID, e.g. com.android.system.ui, +### com.android.settings. These are not as privileged as the system +### server. +### + +type system_app, domain; diff --git a/prebuilts/api/28.0/public/system_server.te b/prebuilts/api/28.0/public/system_server.te new file mode 100644 index 000000000..805d6175d --- /dev/null +++ b/prebuilts/api/28.0/public/system_server.te @@ -0,0 +1,5 @@ +# +# System Server aka system_server spawned by zygote. +# Most of the framework services run in this process. +# +type system_server, domain; diff --git a/prebuilts/api/28.0/public/te_macros b/prebuilts/api/28.0/public/te_macros new file mode 100644 index 000000000..9cfe47c84 --- /dev/null +++ b/prebuilts/api/28.0/public/te_macros @@ -0,0 +1,597 @@ +##################################### +# domain_trans(olddomain, type, newdomain) +# Allow a transition from olddomain to newdomain +# upon executing a file labeled with type. +# This only allows the transition; it does not +# cause it to occur automatically - use domain_auto_trans +# if that is what you want. +# +define(`domain_trans', ` +# Old domain may exec the file and transition to the new domain. +allow $1 $2:file { getattr open read execute map }; +allow $1 $3:process transition; +# New domain is entered by executing the file. +allow $3 $2:file { entrypoint open read execute getattr map }; +# New domain can send SIGCHLD to its caller. +ifelse($1, `init', `', `allow $3 $1:process sigchld;') +# Enable AT_SECURE, i.e. libc secure mode. +dontaudit $1 $3:process noatsecure; +# XXX dontaudit candidate but requires further study. +allow $1 $3:process { siginh rlimitinh }; +') + +##################################### +# domain_auto_trans(olddomain, type, newdomain) +# Automatically transition from olddomain to newdomain +# upon executing a file labeled with type. +# +define(`domain_auto_trans', ` +# Allow the necessary permissions. +domain_trans($1,$2,$3) +# Make the transition occur by default. +type_transition $1 $2:process $3; +') + +##################################### +# file_type_trans(domain, dir_type, file_type) +# Allow domain to create a file labeled file_type in a +# directory labeled dir_type. +# This only allows the transition; it does not +# cause it to occur automatically - use file_type_auto_trans +# if that is what you want. +# +define(`file_type_trans', ` +# Allow the domain to add entries to the directory. +allow $1 $2:dir ra_dir_perms; +# Allow the domain to create the file. +allow $1 $3:notdevfile_class_set create_file_perms; +allow $1 $3:dir create_dir_perms; +') + +##################################### +# file_type_auto_trans(domain, dir_type, file_type) +# Automatically label new files with file_type when +# they are created by domain in directories labeled dir_type. +# +define(`file_type_auto_trans', ` +# Allow the necessary permissions. +file_type_trans($1, $2, $3) +# Make the transition occur by default. +type_transition $1 $2:dir $3; +type_transition $1 $2:notdevfile_class_set $3; +') + +##################################### +# r_dir_file(domain, type) +# Allow the specified domain to read directories, files +# and symbolic links of the specified type. +define(`r_dir_file', ` +allow $1 $2:dir r_dir_perms; +allow $1 $2:{ file lnk_file } r_file_perms; +') + +##################################### +# tmpfs_domain(domain) +# Define and allow access to a unique type for +# this domain when creating tmpfs / shmem / ashmem files. +define(`tmpfs_domain', ` +type $1_tmpfs, file_type; +type_transition $1 tmpfs:file $1_tmpfs; +allow $1 $1_tmpfs:file { read write getattr map }; +allow $1 tmpfs:dir { getattr search }; +') + +# pdx macros for IPC. pdx is a high-level name which contains transport-specific +# rules from underlying transport (e.g. UDS-based implementation). + +##################################### +# pdx_service_attributes(service) +# Defines type attribute used to identify various service-related types. +define(`pdx_service_attributes', ` +attribute pdx_$1_endpoint_dir_type; +attribute pdx_$1_endpoint_socket_type; +attribute pdx_$1_channel_socket_type; +attribute pdx_$1_server_type; +') + +##################################### +# pdx_service_socket_types(service, endpoint_dir_t) +# Define types for endpoint and channel sockets. +define(`pdx_service_socket_types', ` +typeattribute $2 pdx_$1_endpoint_dir_type; +type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject; +type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket; +userdebug_or_eng(` +dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *; +dontaudit su pdx_$1_channel_socket:unix_stream_socket *; +') +') + +##################################### +# pdx_server(server_domain, service) +define(`pdx_server', ` +# Mark the server domain as a PDX server. +typeattribute $1 pdx_$2_server_type; +# Allow the init process to create the initial endpoint socket. +allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind }; +# Allow the server domain to use the endpoint socket and accept connections on it. +# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights +# than we need (e.g. we don"t need "bind" or "connect"). +allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept }; +# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()). +allow $1 self:process setsockcreate; +# Allow the server domain to create a client channel socket. +allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms; +# Prevent other processes from claiming to be a server for the same service. +neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept }; +') + +##################################### +# pdx_connect(client, service) +define(`pdx_connect', ` +# Allow client to open the service endpoint file. +allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms; +allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms; +# Allow the client to connect to endpoint socket. +allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown }; +') + +##################################### +# pdx_use(client, service) +define(`pdx_use', ` +# Allow the client to use the PDX channel socket. +# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights +# than we need (e.g. we don"t need "bind" or "connect"). +allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown }; +# Client needs to use an channel event fd from the server. +allow $1 pdx_$2_server_type:fd use; +# Servers may receive sync fences, gralloc buffers, etc, from clients. +# This could be tightened on a per-server basis, but keeping track of service +# clients is error prone. +allow pdx_$2_server_type $1:fd use; +') + +##################################### +# pdx_client(client, service) +define(`pdx_client', ` +pdx_connect($1, $2) +pdx_use($1, $2) +') + +##################################### +# init_daemon_domain(domain) +# Set up a transition from init to the daemon domain +# upon executing its binary. +define(`init_daemon_domain', ` +domain_auto_trans(init, $1_exec, $1) +tmpfs_domain($1) +') + +##################################### +# app_domain(domain) +# Allow a base set of permissions required for all apps. +define(`app_domain', ` +typeattribute $1 appdomain; +# Label ashmem objects with our own unique type. +tmpfs_domain($1) +# Map with PROT_EXEC. +allow $1 $1_tmpfs:file execute; +neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms; +neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms; +') + +##################################### +# untrusted_app_domain(domain) +# Allow a base set of permissions required for all untrusted apps. +define(`untrusted_app_domain', ` +typeattribute $1 untrusted_app_all; +') + +##################################### +# net_domain(domain) +# Allow a base set of permissions required for network access. +define(`net_domain', ` +typeattribute $1 netdomain; +') + +##################################### +# bluetooth_domain(domain) +# Allow a base set of permissions required for bluetooth access. +define(`bluetooth_domain', ` +typeattribute $1 bluetoothdomain; +') + +##################################### +# hal_attribute(hal_name) +# Add an attribute for hal implementations along with necessary +# restrictions. +define(`hal_attribute', ` +attribute hal_$1; +expandattribute hal_$1 true; +attribute hal_$1_client; +expandattribute hal_$1_client true; +attribute hal_$1_server; +expandattribute hal_$1_server false; + +neverallow { hal_$1_server -halserverdomain } domain:process fork; +') + +##################################### +# hal_server_domain(domain, hal_type) +# Allow a base set of permissions required for a domain to offer a +# HAL implementation of the specified type over HwBinder. +# +# For example, default implementation of Foo HAL: +# type hal_foo_default, domain; +# hal_server_domain(hal_foo_default, hal_foo) +# +define(`hal_server_domain', ` +typeattribute $1 halserverdomain; +typeattribute $1 $2_server; +typeattribute $1 $2; +') + +##################################### +# hal_client_domain(domain, hal_type) +# Allow a base set of permissions required for a domain to be a +# client of a HAL of the specified type. +# +# For example, make some_domain a client of Foo HAL: +# hal_client_domain(some_domain, hal_foo) +# +define(`hal_client_domain', ` +typeattribute $1 halclientdomain; +typeattribute $1 $2_client; + +# TODO(b/34170079): Make the inclusion of the rules below conditional also on +# non-Treble devices. For now, on non-Treble device, always grant clients of a +# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process). +not_full_treble(` +typeattribute $1 $2; +# Find passthrough HAL implementations +allow $2 system_file:dir r_dir_perms; +allow $2 vendor_file:dir r_dir_perms; +allow $2 vendor_file:file { read open getattr execute map }; +') +') + +##################################### +# passthrough_hal_client_domain(domain, hal_type) +# Allow a base set of permissions required for a domain to be a +# client of a passthrough HAL of the specified type. +# +# For example, make some_domain a client of passthrough Foo HAL: +# passthrough_hal_client_domain(some_domain, hal_foo) +# +define(`passthrough_hal_client_domain', ` +typeattribute $1 halclientdomain; +typeattribute $1 $2_client; +typeattribute $1 $2; +# Find passthrough HAL implementations +allow $2 system_file:dir r_dir_perms; +allow $2 vendor_file:dir r_dir_perms; +allow $2 vendor_file:file { read open getattr execute map }; +') + +##################################### +# unix_socket_connect(clientdomain, socket, serverdomain) +# Allow a local socket connection from clientdomain via +# socket to serverdomain. +# +# Note: If you see denial records that distill to the +# following allow rules: +# allow clientdomain property_socket:sock_file write; +# allow clientdomain init:unix_stream_socket connectto; +# allow clientdomain something_prop:property_service set; +# +# This sequence is indicative of attempting to set a property. +# use set_prop(sourcedomain, targetproperty) +# +define(`unix_socket_connect', ` +allow $1 $2_socket:sock_file write; +allow $1 $3:unix_stream_socket connectto; +') + +##################################### +# set_prop(sourcedomain, targetproperty) +# Allows source domain to set the +# targetproperty. +# +define(`set_prop', ` +unix_socket_connect($1, property, init) +allow $1 $2:property_service set; +get_prop($1, $2) +') + +##################################### +# get_prop(sourcedomain, targetproperty) +# Allows source domain to read the +# targetproperty. +# +define(`get_prop', ` +allow $1 $2:file r_file_perms; +') + +##################################### +# unix_socket_send(clientdomain, socket, serverdomain) +# Allow a local socket send from clientdomain via +# socket to serverdomain. +define(`unix_socket_send', ` +allow $1 $2_socket:sock_file write; +allow $1 $3:unix_dgram_socket sendto; +') + +##################################### +# binder_use(domain) +# Allow domain to use Binder IPC. +define(`binder_use', ` +# Call the servicemanager and transfer references to it. +allow $1 servicemanager:binder { call transfer }; +# servicemanager performs getpidcon on clients. +allow servicemanager $1:dir search; +allow servicemanager $1:file { read open }; +allow servicemanager $1:process getattr; +# rw access to /dev/binder and /dev/ashmem is presently granted to +# all domains in domain.te. +') + +##################################### +# hwbinder_use(domain) +# Allow domain to use HwBinder IPC. +define(`hwbinder_use', ` +# Call the hwservicemanager and transfer references to it. +allow $1 hwservicemanager:binder { call transfer }; +# Allow hwservicemanager to send out callbacks +allow hwservicemanager $1:binder { call transfer }; +# hwservicemanager performs getpidcon on clients. +allow hwservicemanager $1:dir search; +allow hwservicemanager $1:file { read open }; +allow hwservicemanager $1:process getattr; +# rw access to /dev/hwbinder and /dev/ashmem is presently granted to +# all domains in domain.te. +') + +##################################### +# vndbinder_use(domain) +# Allow domain to use Binder IPC. +define(`vndbinder_use', ` +# Talk to the vndbinder device node +allow $1 vndbinder_device:chr_file rw_file_perms; +# Call the vndservicemanager and transfer references to it. +allow $1 vndservicemanager:binder { call transfer }; +# vndservicemanager performs getpidcon on clients. +allow vndservicemanager $1:dir search; +allow vndservicemanager $1:file { read open }; +allow vndservicemanager $1:process getattr; +') + +##################################### +# binder_call(clientdomain, serverdomain) +# Allow clientdomain to perform binder IPC to serverdomain. +define(`binder_call', ` +# Call the server domain and optionally transfer references to it. +allow $1 $2:binder { call transfer }; +# Allow the serverdomain to transfer references to the client on the reply. +allow $2 $1:binder transfer; +# Receive and use open files from the server. +allow $1 $2:fd use; +') + +##################################### +# binder_service(domain) +# Mark a domain as being a Binder service domain. +# Used to allow binder IPC to the various system services. +define(`binder_service', ` +typeattribute $1 binderservicedomain; +') + +##################################### +# wakelock_use(domain) +# Allow domain to manage wake locks +define(`wakelock_use', ` +# Access /sys/power/wake_lock and /sys/power/wake_unlock +allow $1 sysfs_wake_lock:file rw_file_perms; +# Accessing these files requires CAP_BLOCK_SUSPEND +allow $1 self:global_capability2_class_set block_suspend; +') + +##################################### +# selinux_check_access(domain) +# Allow domain to check SELinux permissions via selinuxfs. +define(`selinux_check_access', ` +r_dir_file($1, selinuxfs) +allow $1 selinuxfs:file w_file_perms; +allow $1 kernel:security compute_av; +allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; +') + +##################################### +# selinux_check_context(domain) +# Allow domain to check SELinux contexts via selinuxfs. +define(`selinux_check_context', ` +r_dir_file($1, selinuxfs) +allow $1 selinuxfs:file w_file_perms; +allow $1 kernel:security check_context; +') + +##################################### +# create_pty(domain) +# Allow domain to create and use a pty, isolated from any other domain ptys. +define(`create_pty', ` +# Each domain gets a unique devpts type. +type $1_devpts, fs_type; +# Label the pty with the unique type when created. +type_transition $1 devpts:chr_file $1_devpts; +# Allow use of the pty after creation. +allow $1 $1_devpts:chr_file { open getattr read write ioctl }; +allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls; +# TIOCSTI is only ever used for exploits. Block it. +# b/33073072, b/7530569 +# http://www.openwall.com/lists/oss-security/2016/09/26/14 +neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI; +# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms +# allowed to everyone via domain.te. +') + +##################################### +# Non system_app application set +# +define(`non_system_app_set', `{ appdomain -system_app }') + +##################################### +# Recovery only +# SELinux rules which apply only to recovery mode +# +define(`recovery_only', ifelse(target_recovery, `true', $1, )) + +##################################### +# Full TREBLE only +# SELinux rules which apply only to full TREBLE devices +# +define(`full_treble_only', ifelse(target_full_treble, `true', $1, +ifelse(target_full_treble, `cts', +# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# Not full TREBLE +# SELinux rules which apply only to devices which are not full TREBLE devices +# +define(`not_full_treble', ifelse(target_full_treble, `true', , $1)) + +##################################### +# Compatible property only +# SELinux rules which apply only to devices with compatible property +# +define(`compatible_property_only', ifelse(target_compatible_property, `true', $1, +ifelse(target_compatible_property, `cts', +# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# Not compatible property +# SELinux rules which apply only to devices without compatible property +# +define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1)) + +##################################### +# Userdebug or eng builds +# SELinux rules which apply only to userdebug or eng builds +# +define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) + +##################################### +# asan builds +# SELinux rules which apply only to asan builds +# +define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) + +#################################### +# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp). +# +define(`crash_dump_fallback', ` +userdebug_or_eng(` + allow $1 su:fifo_file append; +') +allow $1 anr_data_file:file append; +allow $1 dumpstate:fd use; +allow $1 incidentd:fd use; +# TODO: Figure out why write is needed. +allow $1 dumpstate:fifo_file { append write }; +allow $1 incidentd:fifo_file { append write }; +allow $1 system_server:fifo_file { append write }; +allow $1 tombstoned:unix_stream_socket connectto; +allow $1 tombstoned:fd use; +allow $1 tombstoned_crash_socket:sock_file write; +allow $1 tombstone_data_file:file append; +') + +##################################### +# WITH_DEXPREOPT builds +# SELinux rules which apply only when pre-opting. +# +define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1)) + +##################################### +# write_logd(domain) +# Ability to write to android log +# daemon via sockets +define(`write_logd', ` +unix_socket_send($1, logdw, logd) +allow $1 pmsg_device:chr_file w_file_perms; +') + +##################################### +# read_logd(domain) +# Ability to run logcat and read from android +# log daemon via sockets +define(`read_logd', ` +allow $1 logcat_exec:file rx_file_perms; +unix_socket_connect($1, logdr, logd) +') + +##################################### +# read_runtime_log_tags(domain) +# ability to directly map the runtime event log tags +define(`read_runtime_log_tags', ` +allow $1 runtime_event_log_tags_file:file r_file_perms; +') + +##################################### +# control_logd(domain) +# Ability to control +# android log daemon via sockets +define(`control_logd', ` +# Group AID_LOG checked by filesystem & logd +# to permit control commands +unix_socket_connect($1, logd, logd) +') + +##################################### +# use_keystore(domain) +# Ability to use keystore. +# Keystore is requires the following permissions +# to call getpidcon. +define(`use_keystore', ` + allow keystore $1:dir search; + allow keystore $1:file { read open }; + allow keystore $1:process getattr; + allow $1 keystore_service:service_manager find; + binder_call($1, keystore) + binder_call(keystore, $1) +') + +########################################### +# use_drmservice(domain) +# Ability to use DrmService which requires +# DrmService to call getpidcon. +define(`use_drmservice', ` + allow drmserver $1:dir search; + allow drmserver $1:file { read open }; + allow drmserver $1:process getattr; +') + +########################################### +# add_service(domain, service) +# Ability for domain to add a service to service_manager +# and find it. It also creates a neverallow preventing +# others from adding it. +define(`add_service', ` + allow $1 $2:service_manager { add find }; + neverallow { domain -$1 } $2:service_manager add; +') + +########################################### +# add_hwservice(domain, service) +# Ability for domain to add a service to hwservice_manager +# and find it. It also creates a neverallow preventing +# others from adding it. +define(`add_hwservice', ` + allow $1 $2:hwservice_manager { add find }; + allow $1 hidl_base_hwservice:hwservice_manager add; + neverallow { domain -$1 } $2:hwservice_manager add; +') diff --git a/prebuilts/api/28.0/public/tee.te b/prebuilts/api/28.0/public/tee.te new file mode 100644 index 000000000..0f9b32dc9 --- /dev/null +++ b/prebuilts/api/28.0/public/tee.te @@ -0,0 +1,11 @@ +## +# trusted execution environment (tee) daemon +# +type tee, domain; + +# Device(s) for communicating with the TEE +type tee_device, dev_type; + +allow tee fingerprint_vendor_data_file:dir rw_dir_perms; +allow tee fingerprint_vendor_data_file:file create_file_perms; + diff --git a/prebuilts/api/28.0/public/thermalserviced.te b/prebuilts/api/28.0/public/thermalserviced.te new file mode 100644 index 000000000..00e007132 --- /dev/null +++ b/prebuilts/api/28.0/public/thermalserviced.te @@ -0,0 +1,13 @@ +# thermalserviced -- thermal management services for system and vendor +type thermalserviced, domain; +type thermalserviced_exec, exec_type, file_type; + +binder_use(thermalserviced) +binder_service(thermalserviced) +add_service(thermalserviced, thermal_service) + +hwbinder_use(thermalserviced) +hal_client_domain(thermalserviced, hal_thermal) +add_hwservice(thermalserviced, thermalcallback_hwservice) + +binder_call(thermalserviced, platform_app) diff --git a/prebuilts/api/28.0/public/tombstoned.te b/prebuilts/api/28.0/public/tombstoned.te new file mode 100644 index 000000000..cf3ddcba9 --- /dev/null +++ b/prebuilts/api/28.0/public/tombstoned.te @@ -0,0 +1,22 @@ +# debugger interface +type tombstoned, domain, mlstrustedsubject; +type tombstoned_exec, exec_type, file_type; + +# Write to arbitrary pipes given to us. +allow tombstoned domain:fd use; +allow tombstoned domain:fifo_file write; + +allow tombstoned domain:dir r_dir_perms; +allow tombstoned domain:file r_file_perms; +allow tombstoned tombstone_data_file:dir rw_dir_perms; +allow tombstoned tombstone_data_file:file create_file_perms; + +# TODO: Remove append / write permissions. They were temporarily +# granted due to a bug which appears to have been fixed. +allow tombstoned anr_data_file:file { append write }; +auditallow tombstoned anr_data_file:file { append write }; + +# Changes for the new stack dumping mechanism. Each trace goes into a +# separate file, and these files are managed by tombstoned. +allow tombstoned anr_data_file:dir rw_dir_perms; +allow tombstoned anr_data_file:file { getattr open create }; diff --git a/prebuilts/api/28.0/public/toolbox.te b/prebuilts/api/28.0/public/toolbox.te new file mode 100644 index 000000000..59c3a9c73 --- /dev/null +++ b/prebuilts/api/28.0/public/toolbox.te @@ -0,0 +1,24 @@ +# Any toolbox command run by init. +# At present, the only known usage is for running mkswap via fs_mgr. +# Do NOT use this domain for toolbox when run by any other domain. +type toolbox, domain; +type toolbox_exec, exec_type, file_type; + +# /dev/__null__ created by init prior to policy load, +# open fd inherited by fsck. +allow toolbox tmpfs:chr_file { read write ioctl }; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow toolbox devpts:chr_file { read write getattr ioctl }; + +# mkswap-specific. +# Read/write block devices used for swap partitions. +# Assign swap_block_device type any such partition in your +# device///sepolicy/file_contexts file. +allow toolbox block_device:dir search; +allow toolbox swap_block_device:blk_file rw_file_perms; + +# Only allow entry from init via the toolbox binary. +neverallow { domain -init } toolbox:process transition; +neverallow * toolbox:process dyntransition; +neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint; diff --git a/prebuilts/api/28.0/public/traced_probes.te b/prebuilts/api/28.0/public/traced_probes.te new file mode 100644 index 000000000..e77c81166 --- /dev/null +++ b/prebuilts/api/28.0/public/traced_probes.te @@ -0,0 +1 @@ +type traced_probes, domain, coredomain; diff --git a/prebuilts/api/28.0/public/traceur_app.te b/prebuilts/api/28.0/public/traceur_app.te new file mode 100644 index 000000000..7113fa7ce --- /dev/null +++ b/prebuilts/api/28.0/public/traceur_app.te @@ -0,0 +1,21 @@ +type traceur_app, domain; + +allow traceur_app servicemanager:service_manager list; +allow traceur_app hwservicemanager:hwservice_manager list; + +set_prop(traceur_app, debug_prop) + +allow traceur_app { + service_manager_type + -gatekeeper_service + -incident_service + -installd_service + -netd_service + -virtual_touchpad_service + -vold_service + -vr_hwc_service +}:service_manager find; + +dontaudit traceur_app service_manager_type:service_manager find; +dontaudit traceur_app hwservice_manager_type:hwservice_manager find; +dontaudit traceur_app domain:binder call; diff --git a/prebuilts/api/28.0/public/tzdatacheck.te b/prebuilts/api/28.0/public/tzdatacheck.te new file mode 100644 index 000000000..6f60c8e2a --- /dev/null +++ b/prebuilts/api/28.0/public/tzdatacheck.te @@ -0,0 +1,18 @@ +# The tzdatacheck command run by init. +type tzdatacheck, domain; +type tzdatacheck_exec, exec_type, file_type; + +allow tzdatacheck zoneinfo_data_file:dir create_dir_perms; +allow tzdatacheck zoneinfo_data_file:file unlink; + +# Below are strong assertion that only init, system_server and tzdatacheck +# can modify the /data time zone rules directories. This is to make it very +# clear that only these domains should modify the actual time zone rules data. +# The tzdatacheck binary itself may be executed by shell for tests but it must +# not be able to modify the real rules. +# If other users / binaries could modify time zone rules on device this might +# have negative implications for users (who may get incorrect local times) +# or break assumptions made / invalidate data held by the components actually +# responsible for updating time zone rules. +neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms; +neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms; diff --git a/prebuilts/api/28.0/public/ueventd.te b/prebuilts/api/28.0/public/ueventd.te new file mode 100644 index 000000000..c41adb35d --- /dev/null +++ b/prebuilts/api/28.0/public/ueventd.te @@ -0,0 +1,54 @@ +# ueventd seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type ueventd, domain; + +# Write to /dev/kmsg. +allow ueventd kmsg_device:chr_file rw_file_perms; + +allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; +allow ueventd device:file create_file_perms; + +r_dir_file(ueventd, rootfs) + +# ueventd needs write access to files in /sys to regenerate uevents +allow ueventd sysfs_type:file w_file_perms; +r_dir_file(ueventd, sysfs_type) +allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr }; +allow ueventd sysfs_type:dir { relabelfrom relabelto setattr }; +allow ueventd tmpfs:chr_file rw_file_perms; +allow ueventd dev_type:dir create_dir_perms; +allow ueventd dev_type:lnk_file { create unlink }; +allow ueventd dev_type:chr_file { getattr create setattr unlink }; +allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink }; +allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow ueventd efs_file:dir search; +allow ueventd efs_file:file r_file_perms; + +# Get SELinux enforcing status. +r_dir_file(ueventd, selinuxfs) + +# Access for /vendor/ueventd.rc and /vendor/firmware +r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file }) + +# Get file contexts for new device nodes +allow ueventd file_contexts_file:file r_file_perms; + +# Use setfscreatecon() to label /dev directories and files. +allow ueventd self:process setfscreate; + +##### +##### neverallow rules +##### + +# ueventd must never set properties, otherwise deadlocks may occur. +# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 +# No writing to the property socket, connecting to init, or setting properties. +neverallow ueventd property_socket:sock_file write; +neverallow ueventd init:unix_stream_socket connectto; +neverallow ueventd property_type:property_service set; + +# Restrict ueventd access on block devices to maintenence operations. +neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink }; + +# Only relabelto as we would never want to relabelfrom kmem_device or port_device +neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto }; diff --git a/prebuilts/api/28.0/public/uncrypt.te b/prebuilts/api/28.0/public/uncrypt.te new file mode 100644 index 000000000..1e48b831d --- /dev/null +++ b/prebuilts/api/28.0/public/uncrypt.te @@ -0,0 +1,45 @@ +# uncrypt +type uncrypt, domain, mlstrustedsubject; +type uncrypt_exec, exec_type, file_type; + +allow uncrypt self:global_capability_class_set dac_override; + +# Read OTA zip file from /data/data/com.google.android.gsf/app_download +r_dir_file(uncrypt, app_data_file) + +userdebug_or_eng(` + # For debugging, allow /data/local/tmp access + r_dir_file(uncrypt, shell_data_file) +') + +# Read /cache/recovery/command +# Read /cache/recovery/uncrypt_file +allow uncrypt cache_file:dir search; +allow uncrypt cache_recovery_file:dir rw_dir_perms; +allow uncrypt cache_recovery_file:file create_file_perms; + +# Read OTA zip file at /data/ota_package/. +allow uncrypt ota_package_file:dir r_dir_perms; +allow uncrypt ota_package_file:file r_file_perms; + +# Write to /dev/socket/uncrypt +unix_socket_connect(uncrypt, uncrypt, uncrypt) + +# Set a property to reboot the device. +set_prop(uncrypt, powerctl_prop) + +# Raw writes to block device +allow uncrypt self:global_capability_class_set sys_rawio; +allow uncrypt misc_block_device:blk_file w_file_perms; +allow uncrypt block_device:dir r_dir_perms; + +# Access userdata block device. +allow uncrypt userdata_block_device:blk_file w_file_perms; + +r_dir_file(uncrypt, rootfs) + +# uncrypt reads /proc/cmdline +allow uncrypt proc_cmdline:file r_file_perms; + +# Read files in /sys +r_dir_file(uncrypt, sysfs_dt_firmware_android) diff --git a/prebuilts/api/28.0/public/untrusted_app.te b/prebuilts/api/28.0/public/untrusted_app.te new file mode 100644 index 000000000..5289bf96b --- /dev/null +++ b/prebuilts/api/28.0/public/untrusted_app.te @@ -0,0 +1,21 @@ +### +### Untrusted apps. +### +### Apps are labeled based on mac_permissions.xml (maps signer and +### optionally package name to seinfo value) and seapp_contexts (maps UID +### and optionally seinfo value to domain for process and type for data +### directory). The untrusted_app domain is the default assignment in +### seapp_contexts for any app with UID between APP_AID (10000) +### and AID_ISOLATED_START (99000) if the app has no specific seinfo +### value as determined from mac_permissions.xml. In current AOSP, this +### domain is assigned to all non-system apps as well as to any system apps +### that are not signed by the platform key. To move +### a system app into a specific domain, add a signer entry for it to +### mac_permissions.xml and assign it one of the pre-existing seinfo values +### or define and use a new seinfo value in both mac_permissions.xml and +### seapp_contexts. +### + +type untrusted_app, domain; +type untrusted_app_27, domain; +type untrusted_app_25, domain; diff --git a/prebuilts/api/28.0/public/untrusted_v2_app.te b/prebuilts/api/28.0/public/untrusted_v2_app.te new file mode 100644 index 000000000..ac82f1531 --- /dev/null +++ b/prebuilts/api/28.0/public/untrusted_v2_app.te @@ -0,0 +1,5 @@ +### +### Untrusted v2 sandbox apps. +### + +type untrusted_v2_app, domain; diff --git a/prebuilts/api/28.0/public/update_engine.te b/prebuilts/api/28.0/public/update_engine.te new file mode 100644 index 000000000..ca73c7e89 --- /dev/null +++ b/prebuilts/api/28.0/public/update_engine.te @@ -0,0 +1,58 @@ +# Domain for update_engine daemon. +type update_engine, domain, update_engine_common; +type update_engine_exec, exec_type, file_type; + +net_domain(update_engine); + +# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network +# sockets. +allow update_engine qtaguid_proc:file rw_file_perms; +allow update_engine qtaguid_device:chr_file r_file_perms; + +# Following permissions are needed for update_engine. +allow update_engine self:process { setsched }; +allow update_engine self:global_capability_class_set { fowner sys_admin }; +# Note: fsetid checks are triggered when creating a file in a directory with +# the setgid bit set to determine if the file should inherit setgid. In this +# case, setgid on the file is undesirable so we should just suppress the +# denial. +dontaudit update_engine self:global_capability_class_set fsetid; + +allow update_engine kmsg_device:chr_file w_file_perms; +allow update_engine update_engine_exec:file rx_file_perms; +wakelock_use(update_engine); + +# Ignore these denials. +dontaudit update_engine kernel:process setsched; +dontaudit update_engine self:capability sys_rawio; + +# Allow using persistent storage in /data/misc/update_engine. +allow update_engine update_engine_data_file:dir create_dir_perms; +allow update_engine update_engine_data_file:file create_file_perms; + +# Allow using persistent storage in /data/misc/update_engine_log. +allow update_engine update_engine_log_data_file:dir create_dir_perms; +allow update_engine update_engine_log_data_file:file create_file_perms; + +# Don't allow kernel module loading, just silence the logs. +dontaudit update_engine kernel:system module_request; + +# Register the service to perform Binder IPC. +binder_use(update_engine) +add_service(update_engine, update_engine_service) + +# Allow update_engine to call the callback function provided by priv_app. +binder_call(update_engine, priv_app) + +# Read OTA zip file at /data/ota_package/. +allow update_engine ota_package_file:file r_file_perms; +allow update_engine ota_package_file:dir r_dir_perms; + +# Use Boot Control HAL +hal_client_domain(update_engine, hal_bootctl) + +# access /proc/misc +allow update_engine proc_misc:file r_file_perms; + +# read directories on /system and /vendor +allow update_engine system_file:dir r_dir_perms; diff --git a/prebuilts/api/28.0/public/update_engine_common.te b/prebuilts/api/28.0/public/update_engine_common.te new file mode 100644 index 000000000..eb4cdc194 --- /dev/null +++ b/prebuilts/api/28.0/public/update_engine_common.te @@ -0,0 +1,45 @@ +# update_engine payload application permissions. These are shared between the +# background daemon and the recovery tool to sideload an update. + +# Allow update_engine to reach block devices in /dev/block. +allow update_engine_common block_device:dir search; + +# Allow read/write on system and boot partitions. +allow update_engine_common boot_block_device:blk_file rw_file_perms; +allow update_engine_common system_block_device:blk_file rw_file_perms; + +# Allow to set recovery options in the BCB. Used to trigger factory reset when +# the update to an older version (channel change) or incompatible version +# requires it. +allow update_engine_common misc_block_device:blk_file rw_file_perms; + +# read fstab +allow update_engine_common rootfs:dir getattr; +allow update_engine_common rootfs:file r_file_perms; + +# Allow update_engine_common to mount on the /postinstall directory and reset the +# labels on the mounted filesystem to postinstall_file. +allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search }; +allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto }; +allow update_engine_common labeledfs:filesystem relabelfrom; + +# Allow update_engine_common to read and execute postinstall_file. +allow update_engine_common postinstall_file:file rx_file_perms; +allow update_engine_common postinstall_file:lnk_file r_file_perms; +allow update_engine_common postinstall_file:dir r_dir_perms; + +# install update.zip from cache +r_dir_file(update_engine_common, cache_file) + +# A postinstall program is typically a shell script (with a #!), so we allow +# to execute those. +allow update_engine_common shell_exec:file rx_file_perms; + +# Allow update_engine_common to suspend, resume and kill the postinstall program. +allow update_engine_common postinstall:process { signal sigstop sigkill }; + +# access /proc/cmdline +allow update_engine_common proc_cmdline:file r_file_perms; + +# Read files in /sys/firmware/devicetree/base/firmware/android/ +r_dir_file(update_engine_common, sysfs_dt_firmware_android) diff --git a/prebuilts/api/28.0/public/update_verifier.te b/prebuilts/api/28.0/public/update_verifier.te new file mode 100644 index 000000000..5d20eca82 --- /dev/null +++ b/prebuilts/api/28.0/public/update_verifier.te @@ -0,0 +1,31 @@ +# update_verifier +type update_verifier, domain; +type update_verifier_exec, exec_type, file_type; + +# Allow update_verifier to reach block devices in /dev/block. +allow update_verifier block_device:dir search; + +# Read care map in /data/ota_package/. +allow update_verifier ota_package_file:dir r_dir_perms; +allow update_verifier ota_package_file:file r_file_perms; + +# Read /sys/block to find all the DM directories like (/sys/block/dm-X). +allow update_verifier sysfs:dir r_dir_perms; + +# Read /sys/block/dm-X/dm/name (which is a symlink to +# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between +# dm-X and system/vendor partitions. +allow update_verifier sysfs_dm:dir r_dir_perms; +allow update_verifier sysfs_dm:file r_file_perms; + +# Read all blocks in DM wrapped system partition. +allow update_verifier dm_device:blk_file r_file_perms; + +# Write to kernel message. +allow update_verifier kmsg_device:chr_file w_file_perms; + +# Allow update_verifier to reboot the device. +set_prop(update_verifier, powerctl_prop) + +# Use Boot Control HAL +hal_client_domain(update_verifier, hal_bootctl) diff --git a/prebuilts/api/28.0/public/usbd.te b/prebuilts/api/28.0/public/usbd.te new file mode 100644 index 000000000..98786e062 --- /dev/null +++ b/prebuilts/api/28.0/public/usbd.te @@ -0,0 +1,3 @@ +type usbd, domain; +type usbd_exec, exec_type, file_type; + diff --git a/prebuilts/api/28.0/public/vdc.te b/prebuilts/api/28.0/public/vdc.te new file mode 100644 index 000000000..424bdea02 --- /dev/null +++ b/prebuilts/api/28.0/public/vdc.te @@ -0,0 +1,20 @@ +# vdc spawned from init for the following services: +# defaultcrypto +# encrypt +# +# We also transition into this domain from dumpstate, when +# collecting bug reports. + +type vdc, domain; +type vdc_exec, exec_type, file_type; + +# vdc can be invoked with logwrapper, so let it write to pty +allow vdc devpts:chr_file rw_file_perms; + +# vdc writes directly to kmsg during the boot process +allow vdc kmsg_device:chr_file w_file_perms; + +# vdc talks to vold over Binder +binder_use(vdc) +binder_call(vdc, vold) +allow vdc vold_service:service_manager find; diff --git a/prebuilts/api/28.0/public/vendor_init.te b/prebuilts/api/28.0/public/vendor_init.te new file mode 100644 index 000000000..0237861a9 --- /dev/null +++ b/prebuilts/api/28.0/public/vendor_init.te @@ -0,0 +1,187 @@ +# vendor_init is its own domain. +type vendor_init, domain, mlstrustedsubject; + +# Communication to the main init process +allow vendor_init init:unix_stream_socket { read write }; + +# Vendor init shouldn't communicate with any vendor process, nor most system processes. +neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init }); + +# Logging to kmsg +allow vendor_init kmsg_device:chr_file { open write }; + +# Mount on /dev/usb-ffs/adb. +allow vendor_init device:dir mounton; + +# Create and remove symlinks in /. +allow vendor_init rootfs:lnk_file { create unlink }; + +# Create cgroups mount points in tmpfs and mount cgroups on them. +allow vendor_init cgroup:dir create_dir_perms; + +# /config +allow vendor_init configfs:dir mounton; +allow vendor_init configfs:dir create_dir_perms; +allow vendor_init configfs:{ file lnk_file } create_file_perms; + +# Create directories under /dev/cpuctl after chowning it to system. +allow vendor_init self:global_capability_class_set dac_override; + +# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. +# chown/chmod require open+read+setattr required for open()+fchown/fchmod(). +# system/core/init.rc requires at least cache_file and data_file_type. +# init..rc files often include device-specific types, so +# we just allow all file types except /system files here. +allow vendor_init self:global_capability_class_set { chown fowner fsetid }; + +allow vendor_init { + file_type + -core_data_file_type + -exec_type + -system_file + -unlabeled + -vendor_file_type + -vold_metadata_file +}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; + +allow vendor_init { + file_type + -core_data_file_type + -exec_type + -runtime_event_log_tags_file + -system_file + -unlabeled + -vendor_file_type + -vold_metadata_file +}:file { create getattr open read write setattr relabelfrom unlink }; + +allow vendor_init { + file_type + -core_data_file_type + -exec_type + -system_file + -unlabeled + -vendor_file_type + -vold_metadata_file +}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; + +allow vendor_init { + file_type + -core_data_file_type + -exec_type + -system_file + -unlabeled + -vendor_file_type + -vold_metadata_file +}:lnk_file { create getattr setattr relabelfrom unlink }; + +allow vendor_init { + file_type + -core_data_file_type + -exec_type + -system_file + -vendor_file_type + -vold_metadata_file +}:dir_file_class_set relabelto; + +allow vendor_init dev_type:dir create_dir_perms; +allow vendor_init dev_type:lnk_file create; + +# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on +allow vendor_init debugfs_tracing:file w_file_perms; + +# chown/chmod on pseudo files. +allow vendor_init { + fs_type + -contextmount_type + -sdcard_type + -rootfs + -proc_uid_time_in_state + -proc_uid_concurrent_active_time + -proc_uid_concurrent_policy_time +}:file { open read setattr }; + +allow vendor_init { + fs_type + -contextmount_type + -sdcard_type + -rootfs + -proc_uid_time_in_state + -proc_uid_concurrent_active_time + -proc_uid_concurrent_policy_time +}:dir { open read setattr search }; + +# chown/chmod on devices, e.g. /dev/ttyHS0 +allow vendor_init { + dev_type + -kmem_device + -port_device + -lowpan_device + -hw_random_device +}:chr_file setattr; + +allow vendor_init dev_type:blk_file getattr; + +# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. +r_dir_file(vendor_init, proc_net) +allow vendor_init proc_net:file w_file_perms; +allow vendor_init self:global_capability_class_set net_admin; + +# Write to /proc/sys/vm/page-cluster +allow vendor_init proc_page_cluster:file w_file_perms; + +# Write to sysfs nodes. +allow vendor_init sysfs_type:dir r_dir_perms; +allow vendor_init sysfs_type:lnk_file read; +allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms; + +# setfscreatecon() for labeling directories and socket files. +allow vendor_init self:process { setfscreate }; + +r_dir_file(vendor_init, vendor_file_type) + +# Vendor init can read properties +allow vendor_init serialno_prop:file { getattr open read }; + +# Vendor init can perform operations on trusted and security Extended Attributes +allow vendor_init self:global_capability_class_set sys_admin; + +not_compatible_property(` + set_prop(vendor_init, { + property_type + -restorecon_prop + -netd_stable_secret_prop + -firstboot_prop + -pm_prop + -system_boot_reason_prop + -bootloader_boot_reason_prop + -last_boot_reason_prop + }) +') + +set_prop(vendor_init, bluetooth_a2dp_offload_prop) +set_prop(vendor_init, debug_prop) +set_prop(vendor_init, exported_bluetooth_prop) +set_prop(vendor_init, exported_config_prop) +set_prop(vendor_init, exported_dalvik_prop) +set_prop(vendor_init, exported_default_prop) +set_prop(vendor_init, exported_ffs_prop) +set_prop(vendor_init, exported_overlay_prop) +set_prop(vendor_init, exported_pm_prop) +set_prop(vendor_init, exported_radio_prop) +set_prop(vendor_init, exported_system_radio_prop) +set_prop(vendor_init, exported_wifi_prop) +set_prop(vendor_init, exported2_config_prop) +set_prop(vendor_init, exported2_system_prop) +set_prop(vendor_init, exported2_vold_prop) +set_prop(vendor_init, exported3_default_prop) +set_prop(vendor_init, exported3_radio_prop) +set_prop(vendor_init, logd_prop) +set_prop(vendor_init, log_tag_prop) +set_prop(vendor_init, log_prop) +set_prop(vendor_init, serialno_prop) +set_prop(vendor_init, vendor_default_prop) +set_prop(vendor_init, wifi_log_prop) + +get_prop(vendor_init, exported2_radio_prop) +get_prop(vendor_init, exported3_system_prop) diff --git a/prebuilts/api/28.0/public/vendor_shell.te b/prebuilts/api/28.0/public/vendor_shell.te new file mode 100644 index 000000000..7d30acba4 --- /dev/null +++ b/prebuilts/api/28.0/public/vendor_shell.te @@ -0,0 +1,19 @@ +type vendor_shell, domain; +type vendor_shell_exec, exec_type, vendor_file_type, file_type; + +allow vendor_shell vendor_shell_exec:file rx_file_perms; +allow vendor_shell vendor_toolbox_exec:file rx_file_perms; + +# Use fd from shell when vendor_shell is started from shell +allow vendor_shell shell:fd use; + +# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh` +allow vendor_shell adbd:fd use; +allow vendor_shell adbd:process sigchld; +allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write }; + +allow vendor_shell devpts:chr_file rw_file_perms; +allow vendor_shell tty_device:chr_file rw_file_perms; +allow vendor_shell console_device:chr_file rw_file_perms; +allow vendor_shell input_device:dir r_dir_perms; +allow vendor_shell input_device:chr_file rw_file_perms; diff --git a/prebuilts/api/28.0/public/vendor_toolbox.te b/prebuilts/api/28.0/public/vendor_toolbox.te new file mode 100644 index 000000000..eb292cafb --- /dev/null +++ b/prebuilts/api/28.0/public/vendor_toolbox.te @@ -0,0 +1,16 @@ +# Toolbox installation for vendor binaries / scripts +# Non-vendor processes are not allowed to execute the binary +# and is always executed without transition. +type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; + +# Do not allow domains to transition to vendor toolbox +# or read, execute the vendor_toolbox file. +full_treble_only(` + # Do not allow non-vendor domains to transition + # to vendor toolbox except for the whitelisted domains. + neverallow { + coredomain + -init + -modprobe + } vendor_toolbox_exec:file { entrypoint execute execute_no_trans }; +') diff --git a/prebuilts/api/28.0/public/virtual_touchpad.te b/prebuilts/api/28.0/public/virtual_touchpad.te new file mode 100644 index 000000000..c2800e3ef --- /dev/null +++ b/prebuilts/api/28.0/public/virtual_touchpad.te @@ -0,0 +1,16 @@ +type virtual_touchpad, domain; +type virtual_touchpad_exec, exec_type, file_type; + +binder_use(virtual_touchpad) +binder_service(virtual_touchpad) +add_service(virtual_touchpad, virtual_touchpad_service) + +# Needed to check app permissions. +binder_call(virtual_touchpad, system_server) + +# Requires access to /dev/uinput to create and feed the virtual device. +allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl }; + +# Requires access to the permission service to validate that clients have the +# appropriate VR permissions. +allow virtual_touchpad permission_service:service_manager find; diff --git a/prebuilts/api/28.0/public/vndservice.te b/prebuilts/api/28.0/public/vndservice.te new file mode 100644 index 000000000..0d309bf71 --- /dev/null +++ b/prebuilts/api/28.0/public/vndservice.te @@ -0,0 +1 @@ +type default_android_vndservice, vndservice_manager_type; diff --git a/prebuilts/api/28.0/public/vndservicemanager.te b/prebuilts/api/28.0/public/vndservicemanager.te new file mode 100644 index 000000000..6b9f73dc0 --- /dev/null +++ b/prebuilts/api/28.0/public/vndservicemanager.te @@ -0,0 +1,2 @@ +# vndservicemanager - the Binder context manager for vendor processes +type vndservicemanager, domain; diff --git a/prebuilts/api/28.0/public/vold.te b/prebuilts/api/28.0/public/vold.te new file mode 100644 index 000000000..95847cf64 --- /dev/null +++ b/prebuilts/api/28.0/public/vold.te @@ -0,0 +1,267 @@ +# volume manager +type vold, domain; +type vold_exec, exec_type, file_type; + +# Read already opened /cache files. +allow vold cache_file:dir r_dir_perms; +allow vold cache_file:file { getattr read }; +allow vold cache_file:lnk_file r_file_perms; + +# Read access to pseudo filesystems. +r_dir_file(vold, proc_net) +r_dir_file(vold, sysfs_type) +# XXX Label sysfs files with a specific type? +allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot. +allow vold sysfs_dm:file w_file_perms; +allow vold sysfs_usb:file w_file_perms; +allow vold sysfs_zram_uevent:file w_file_perms; + +r_dir_file(vold, rootfs) +allow vold { + proc # b/67049235 processes /proc//* files are mislabeled. + proc_cmdline + proc_drop_caches + proc_filesystems + proc_meminfo + proc_mounts +}:file r_file_perms; + +#Get file contexts +allow vold file_contexts_file:file r_file_perms; + +# Allow us to jump into execution domains of above tools +allow vold self:process setexec; + +# For sgdisk launched through popen() +allow vold shell_exec:file rx_file_perms; + +# For formatting adoptable storage devices +allow vold e2fs_exec:file rx_file_perms; + +typeattribute vold mlstrustedsubject; +allow vold self:process setfscreate; +allow vold system_file:file x_file_perms; +not_full_treble(`allow vold vendor_file:file x_file_perms;') +allow vold block_device:dir create_dir_perms; +allow vold device:dir write; +allow vold devpts:chr_file rw_file_perms; +allow vold rootfs:dir mounton; +allow vold sdcard_type:dir mounton; # TODO: deprecated in M +allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M +allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M +allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M + +# Manage locations where storage is mounted +allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms; +allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms; + +# Access to storage that backs emulated FUSE daemons for migration optimization +allow vold media_rw_data_file:dir create_dir_perms; +allow vold media_rw_data_file:file create_file_perms; + +# Allow mounting of storage devices +allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; + +# Manage per-user primary symlinks +allow vold mnt_user_file:dir create_dir_perms; +allow vold mnt_user_file:lnk_file create_file_perms; + +# Allow to create and mount expanded storage +allow vold mnt_expand_file:dir { create_dir_perms mounton }; +allow vold apk_data_file:dir { create getattr setattr }; +allow vold shell_data_file:dir { create getattr setattr }; + +allow vold tmpfs:filesystem { mount unmount }; +allow vold tmpfs:dir create_dir_perms; +allow vold tmpfs:dir mounton; +allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid }; +allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow vold app_data_file:dir search; +allow vold app_data_file:file rw_file_perms; +allow vold loop_control_device:chr_file rw_file_perms; +allow vold loop_device:blk_file { create setattr unlink rw_file_perms }; +allow vold vold_device:blk_file { create setattr unlink rw_file_perms }; +allow vold dm_device:chr_file rw_file_perms; +allow vold dm_device:blk_file rw_file_perms; +# For vold Process::killProcessesWithOpenFiles function. +allow vold domain:dir r_dir_perms; +allow vold domain:{ file lnk_file } r_file_perms; +allow vold domain:process { signal sigkill }; +allow vold self:global_capability_class_set { sys_ptrace kill }; + +allow vold kmsg_device:chr_file rw_file_perms; + +# Run fsck in the fsck domain. +allow vold fsck_exec:file { r_file_perms execute }; + +# Log fsck results +allow vold fscklogs:dir rw_dir_perms; +allow vold fscklogs:file create_file_perms; + +# +# Rules to support encrypted fs support. +# + +# Unmount and mount the fs. +allow vold labeledfs:filesystem { mount unmount }; + +# Access /efs/userdata_footer. +# XXX Split into a separate type? +allow vold efs_file:file rw_file_perms; + +# Create and mount on /data/tmp_mnt and management of expansion mounts +allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir }; +allow vold system_data_file:lnk_file getattr; + +# Vold create users in /data/vendor_{ce,de}/[0-9]+ +allow vold vendor_data_file:dir create_dir_perms; + +# for secdiscard +allow vold system_data_file:file read; + +# Set scheduling policy of kernel processes +allow vold kernel:process setsched; + +# Property Service +set_prop(vold, vold_prop) +set_prop(vold, exported_vold_prop) +set_prop(vold, exported2_vold_prop) +set_prop(vold, powerctl_prop) +set_prop(vold, ctl_fuse_prop) +set_prop(vold, restorecon_prop) + +# ASEC +allow vold asec_image_file:file create_file_perms; +allow vold asec_image_file:dir rw_dir_perms; +allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; +allow vold asec_public_file:dir { relabelto setattr }; +allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; +allow vold asec_public_file:file { relabelto setattr }; +# restorecon files in asec containers created on 4.2 or earlier. +allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; +allow vold unlabeled:file { r_file_perms setattr relabelfrom }; + +# Handle wake locks (used for device encryption) +wakelock_use(vold) + +# Allow vold to publish a binder service and make binder calls. +binder_use(vold) +add_service(vold, vold_service) + +# Allow vold to call into the system server so it can check permissions. +binder_call(vold, system_server) +allow vold permission_service:service_manager find; + +# talk to batteryservice +binder_call(vold, healthd) + +# talk to keymaster +hal_client_domain(vold, hal_keymaster) + +# Access userdata block device. +allow vold userdata_block_device:blk_file rw_file_perms; + +# Access metadata block device used for encryption meta-data. +allow vold metadata_block_device:blk_file rw_file_perms; + +# Allow vold to manipulate /data/unencrypted +allow vold unencrypted_data_file:{ file } create_file_perms; +allow vold unencrypted_data_file:dir create_dir_perms; + +# Write to /proc/sys/vm/drop_caches +allow vold proc_drop_caches:file w_file_perms; + +# Give vold a place where only vold can store files; everyone else is off limits +allow vold vold_data_file:dir create_dir_perms; +allow vold vold_data_file:file create_file_perms; + +# And a similar place in the metadata partition +allow vold vold_metadata_file:dir create_dir_perms; +allow vold vold_metadata_file:file create_file_perms; + +# linux keyring configuration +allow vold init:key { write search setattr }; +allow vold vold:key { write search setattr }; + +# vold temporarily changes its priority when running benchmarks +allow vold self:global_capability_class_set sys_nice; + +# vold needs to chroot into app namespaces to remount when runtime permissions change +allow vold self:global_capability_class_set sys_chroot; +allow vold storage_file:dir mounton; + +# For AppFuse. +allow vold fuse_device:chr_file rw_file_perms; +allow vold fuse:filesystem { relabelfrom }; +allow vold app_fusefs:filesystem { relabelfrom relabelto }; +allow vold app_fusefs:filesystem { mount unmount }; + +# MoveTask.cpp executes cp and rm +allow vold toolbox_exec:file rx_file_perms; + +# Prepare profile dir for users. +allow vold user_profile_data_file:dir create_dir_perms; + +# Raw writes to misc block device +allow vold misc_block_device:blk_file w_file_perms; + +neverallow { + domain + -vold + -vold_prepare_subdirs +} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; + +neverallow { + domain + -init + -vold + -vold_prepare_subdirs +} vold_data_file:dir *; + +neverallow { + domain + -init + -vendor_init + -vold +} vold_metadata_file:dir *; + +neverallow { + domain + -kernel + -vold + -vold_prepare_subdirs +} vold_data_file:notdevfile_class_set ~{ relabelto getattr }; + +neverallow { + domain + -init + -vold + -vold_prepare_subdirs +} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr }; + +neverallow { + domain + -init + -kernel + -vold + -vold_prepare_subdirs +} { vold_data_file vold_metadata_file }:notdevfile_class_set *; + +neverallow { domain -vold -init } restorecon_prop:property_service set; + +# Only system_server and vdc can interact with vold over binder +neverallow { domain -system_server -vdc -vold } vold_service:service_manager find; +neverallow vold { + domain + -hal_keymaster_server + -healthd + -hwservicemanager + -servicemanager + -system_server + userdebug_or_eng(`-su') +}:binder call; + +neverallow vold fsck_exec:file execute_no_trans; +neverallow { domain -init } vold:process { transition dyntransition }; +neverallow vold *:process ptrace; +neverallow vold *:rawip_socket *; diff --git a/prebuilts/api/28.0/public/vold_prepare_subdirs.te b/prebuilts/api/28.0/public/vold_prepare_subdirs.te new file mode 100644 index 000000000..6405d2dcb --- /dev/null +++ b/prebuilts/api/28.0/public/vold_prepare_subdirs.te @@ -0,0 +1,6 @@ +# SELinux directory creation and labelling for vold-managed directories + +type vold_prepare_subdirs, domain; +type vold_prepare_subdirs_exec, exec_type, file_type; + +typeattribute vold_prepare_subdirs coredomain; diff --git a/prebuilts/api/28.0/public/vr_hwc.te b/prebuilts/api/28.0/public/vr_hwc.te new file mode 100644 index 000000000..c05dd638a --- /dev/null +++ b/prebuilts/api/28.0/public/vr_hwc.te @@ -0,0 +1,31 @@ +type vr_hwc, domain; +type vr_hwc_exec, exec_type, file_type; + +# Get buffer metadata. +hal_client_domain(vr_hwc, hal_graphics_allocator) + +binder_use(vr_hwc) +binder_service(vr_hwc) + +binder_call(vr_hwc, surfaceflinger) +# Needed to check for app permissions. +binder_call(vr_hwc, system_server) + +add_service(vr_hwc, vr_hwc_service) + +# Hosts the VR HWC implementation and provides a simple Binder interface for VR +# Window Manager to receive the layers/buffers. +hwbinder_use(vr_hwc) + +# Load vendor libraries. +allow vr_hwc system_file:dir r_dir_perms; + +allow vr_hwc ion_device:chr_file r_file_perms; + +# Allow connection to VR DisplayClient to get the primary display metadata +# (ie: size). +pdx_client(vr_hwc, display_client) + +# Requires access to the permission service to validate that clients have the +# appropriate VR permissions. +allow vr_hwc permission_service:service_manager find; diff --git a/prebuilts/api/28.0/public/watchdogd.te b/prebuilts/api/28.0/public/watchdogd.te new file mode 100644 index 000000000..00292a9a9 --- /dev/null +++ b/prebuilts/api/28.0/public/watchdogd.te @@ -0,0 +1,4 @@ +# watchdogd seclabel is specified in init..rc +type watchdogd, domain; +allow watchdogd watchdog_device:chr_file rw_file_perms; +allow watchdogd kmsg_device:chr_file rw_file_perms; diff --git a/prebuilts/api/28.0/public/webview_zygote.te b/prebuilts/api/28.0/public/webview_zygote.te new file mode 100644 index 000000000..5d19b3226 --- /dev/null +++ b/prebuilts/api/28.0/public/webview_zygote.te @@ -0,0 +1,5 @@ +# webview_zygote is an auxiliary zygote process that is used to spawn +# isolated_app processes for rendering untrusted web content. + +type webview_zygote, domain; +type webview_zygote_exec, exec_type, file_type; diff --git a/prebuilts/api/28.0/public/wificond.te b/prebuilts/api/28.0/public/wificond.te new file mode 100644 index 000000000..9e4dc7d32 --- /dev/null +++ b/prebuilts/api/28.0/public/wificond.te @@ -0,0 +1,31 @@ +# wificond +type wificond, domain; +type wificond_exec, exec_type, file_type; + +binder_use(wificond) +binder_call(wificond, system_server) + +add_service(wificond, wificond_service) + +set_prop(wificond, exported_wifi_prop) +set_prop(wificond, wifi_prop) +set_prop(wificond, ctl_default_prop) + +# create sockets to set interfaces up and down +allow wificond self:udp_socket create_socket_perms; +# setting interface state up/down is a privileged ioctl +allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR }; +allow wificond self:global_capability_class_set { net_admin net_raw }; +# allow wificond to speak to nl80211 in the kernel +allow wificond self:netlink_socket create_socket_perms_no_ioctl; +# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets +allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl; + +r_dir_file(wificond, proc_net) + +# allow wificond to check permission for dumping logs +allow wificond permission_service:service_manager find; + +# dumpstate support +allow wificond dumpstate:fd use; +allow wificond dumpstate:fifo_file write; diff --git a/prebuilts/api/28.0/public/wpantund.te b/prebuilts/api/28.0/public/wpantund.te new file mode 100644 index 000000000..b31723651 --- /dev/null +++ b/prebuilts/api/28.0/public/wpantund.te @@ -0,0 +1,29 @@ +type wpantund, domain; +type wpantund_exec, exec_type, file_type; + +hal_client_domain(wpantund, hal_lowpan) +net_domain(wpantund) + +binder_use(wpantund) +binder_call(wpantund, system_server) + +# wpantund needs to be able to check in with the lowpan_service +allow wpantund lowpan_service:service_manager find; + +# Allow wpantund to call any callbacks that have been registered with it. +# Generally, only privileged apps are able to register callbacks with +# wpantund, so we are limiting the scope for callbacks to only privileged +# apps. We also add shell to allow the command-line utility `lowpanctl` +# to work properly from `adb shell`. +allow wpantund {priv_app shell}:binder call; + +# create sockets to set interfaces up and down, add multicast groups, etc. +allow wpantund self:udp_socket create_socket_perms; + +# setting interface state up/down and changing MTU are privileged ioctls +allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU }; + +# Allow us to bring up a TUN network interface. +allow wpantund tun_device:chr_file rw_file_perms; +allow wpantund self:global_capability_class_set { net_admin net_raw }; +allow wpantund self:tun_socket create; diff --git a/prebuilts/api/28.0/public/zygote.te b/prebuilts/api/28.0/public/zygote.te new file mode 100644 index 000000000..83c42efb0 --- /dev/null +++ b/prebuilts/api/28.0/public/zygote.te @@ -0,0 +1,3 @@ +# zygote +type zygote, domain; +type zygote_exec, exec_type, file_type;