neverallows/plat_public/neverallows.te - device/mediatek/wembley-sepolicy - Git at Google

 # ==============================================
 # MTK Policy Rule
 # ==============================================

 # Rules for all domains.

 # Do not allow access to the generic sysfs label. This is too broad.
 # Instead, if access to part of sysfs is desired, it should have a
 # more specific label.
 full_treble_only(`
   neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *;

   neverallow {
     coredomain
     -apexd
     -init
     -ueventd
     -vold
     } sysfs:file *;

   neverallow {
     init
     ueventd
     vold
     } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };

   neverallow ~{
     init
     ueventd
     } sysfs:lnk_file ~r_file_perms;

   neverallow {
     init
     ueventd
     } sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto };

   neverallow ~{
     init
     otapreopt_chroot
     ueventd
     vendor_init
     } sysfs:dir ~r_dir_perms;

   neverallow {
     init
     otapreopt_chroot
     ueventd
     vendor_init
     } sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr };
 ')


 # Do not allow access to the generic proc label. This is too broad.
 # Instead, if access to part of proc is desired, it should have a
 # more specific label.
 # TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
 #
 #   r_dir_file(hal_audio, proc)
 #   hal_server_domain(mtk_hal_audio, hal_audio)
 #   hal_client_domain(audioserver, hal_audio)
 #
 full_treble_only(`
   neverallow * proc:{ chr_file blk_file sock_file fifo_file } *;

   neverallow {
     coredomain
     -audioserver
     -bluetooth
     -init
     -system_server
     -vold
     } proc:file *;

   neverallow {
     audioserver
     bluetooth
     init
     system_server
     vold
     } proc:file ~r_file_perms;

   neverallow vendor_init proc:file ~{ read setattr map open };

   neverallow {
     coredomain
     -audioserver
     -bluetooth
     -init
     -system_server
     } proc:lnk_file ~{ read getattr };

   neverallow {
     audioserver
     bluetooth
     init
     system_server
     } proc:lnk_file ~r_file_perms;

   neverallow ~{
     init
     vendor_init
     } proc:dir ~{ r_file_perms search };

   neverallow {
     init
     vendor_init
     } proc:dir ~{ r_file_perms search setattr };
 ')


 # Do not allow access to the generic debugfs label. This is too broad.
 # Instead, if access to part of debugfs is desired, it should have a
 # more specific label.
 full_treble_only(`
   neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *;

   neverallow ~{
     dumpstate
     init
     vendor_init
     } debugfs:file *;

   neverallow dumpstate debugfs:file ~r_file_perms;

   neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto };

   neverallow vendor_init debugfs:file ~{ read setattr open map };

   neverallow ~init debugfs:lnk_file *;

   neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto };

   neverallow ~{
     init
     vendor_init
     } debugfs:dir ~{ search getattr };

   neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto userdebug_or_eng(`mounton') };

   neverallow vendor_init debugfs:dir ~{ search getattr read setattr open };
 ')


 # Do not allow access to the generic system_data_file label. This is
 # too broad.
 # Instead, if access to part of system_data_file is desired, it should
 # have a more specific label.
 # TODO: Remove merged_hal_service and so on once there are no violations.
 #
 #   allow hal_drm system_data_file:file { getattr read };
 #   hal_server_domain(merged_hal_service, hal_drm)
 #
 full_treble_only(`
   neverallow ~{
     init
     installd
     system_server
     } system_data_file:{ chr_file blk_file sock_file fifo_file } *;

   neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };

   neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };

   neverallow installd system_data_file:{ chr_file blk_file } *;

   neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink };

   neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms;

   neverallow {
     coredomain
     -appdomain
     -app_zygote
     -init
     -installd
     -iorap_prefetcherd
     -iorap_inode2filename
     -system_server
     -toolbox
     -vold
     -vold_prepare_subdirs
     with_asan(`-asan_extract')
     } system_data_file:file ~r_file_perms;

   neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };

   neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };

   neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };

   neverallow iorap_inode2filename system_data_file:file ~getattr;

   neverallow iorap_prefetcherd system_data_file:file ~{ open read };

   neverallow {
     mediadrmserver
     mediaextractor
     mediaserver
    } system_data_file:file ~{ read getattr };

   neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };

   neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };

   neverallow vold system_data_file:file ~read;

   with_asan(`
     neverallow asan_extract system_data_file:file ~{ create_file_perms relabelfrom execute };
    ')

   neverallow ~{
     appdomain
     app_zygote
     init
     installd
     iorap_prefetcherd
     iorap_inode2filename
     logd
     rs
     runas
     simpleperf_app_runner
     system_server
     tee
     vold
     webview_zygote
     with_asan(`asan_extract')
     zygote
     } system_data_file:lnk_file ~getattr;

   neverallow {
     appdomain
     app_zygote
     logd
     webview_zygote
     } system_data_file:lnk_file ~r_file_perms;

   neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };

   neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };

   neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };

   neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };

   neverallow rs system_data_file:lnk_file ~{ read };

   neverallow {
     runas
     simpleperf_app_runner
     tee
     } system_data_file:lnk_file ~{ read getattr };

   neverallow system_server system_data_file:lnk_file ~create_file_perms;

   with_asan(`
     neverallow asan_extract system_data_file:lnk_file ~create_file_perms ;
    ')

   neverallow ~{
     artd
     apexd
     init
     installd
     iorap_prefetcherd
     iorap_inode2filename
     system_server
     toolbox
     traced_probes
     vold
     vold_prepare_subdirs
     with_asan(`asan_extract')
     zygote
     } system_data_file:dir ~{ search getattr };

   neverallow artd system_data_file:dir ~r_dir_perms;

   neverallow apexd system_data_file:dir ~r_dir_perms;

   neverallow init system_data_file:dir ~{
     create search getattr open read setattr ioctl
     mounton
     relabelto
     write add_name remove_name rmdir relabelfrom
     };

   neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms };

   neverallow {
     iorap_prefetcherd
     iorap_inode2filename
     traced_probes
     } system_data_file:dir ~{ open read search getattr };

   neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms };

   neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms };

   neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir };

   with_asan(`
     neverallow asan_extract system_data_file:dir ~{ create_dir_perms relabelfrom };
    ')

   neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto };
 ')


 # Do not allow access to the generic vendor_data_file label. This is
 # too broad.
 # Instead, if access to part of vendor_data_file is desired, it should
 # have a more specific label.
 full_treble_only(`
   neverallow ~{
     init
     vendor_init
     } vendor_data_file:file_class_set *;

   neverallow {
     init
     vendor_init
     } vendor_data_file:{ chr_file blk_file } ~{ relabelto };

   neverallow {
     init
     vendor_init
     } vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };

   neverallow {
     init
     vendor_init
     } vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto };

   neverallow {
     init
     vendor_init
     } vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto };

   neverallow ~{
     init
     vendor_init
     vold
     vold_prepare_subdirs
     } vendor_data_file:dir ~{ getattr search };

   neverallow {
     init
     vendor_init
     } vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto };

   neverallow vold vendor_data_file:dir ~create_dir_perms;

   neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom };
 ')

 # Do not allow access to the generic app_data_file label. This is too broad.
 # Instead, if access to part of app_data_file is desired, it should have a
 # more specific label.
 #full_treble_only(`
 #  neverallow * app_data_file:dir_file_class_set *;
 #')

 # Do not allow access to the generic default_prop label. This is too broad.
 # Instead, if access to part of default_prop is desired, it should have a
 # more specific label.
 #full_treble_only(`
 #  neverallow * default_prop:dir_file_class_set *;
 #')

 # Do not allow access to the generic vendor_default_prop label. This is
 # too broad.
 # Instead, if access to part of vendor_default_prop is desired, it should
 # have a more specific label.
 #full_treble_only(`
 #  neverallow * vendor_default_prop:dir_file_class_set *;
 #')

 # Do not allow access to the generic device label. This is too broad.
 # Instead, if access to part of device is desired, it should have a
 # more specific label.
 # TODO: Remove hal_camera and so on once there are no violations.
 #
 #   allow hal_camera device:dir r_dir_perms;
 #   hal_client_domain(cameraserver, hal_camera)
 #
 full_treble_only(`
   neverallow * device:{ sock_file fifo_file } *;

   neverallow ~{
     init
     shell
     ueventd
     vendor_init
     } device:chr_file *;

   neverallow { init vendor_init } device:chr_file ~setattr;

   neverallow shell device:chr_file ~getattr;

   neverallow ueventd device:chr_file ~{ getattr create setattr unlink };

   neverallow ~{
     apexd
     dumpstate
     e2fs
     fsck
     fsck_untrusted
     init
     recovery
     shell
     ueventd
     vendor_init
     } device:blk_file *;

   neverallow {
     dumpstate
     e2fs
     fsck
     fsck_untrusted
     shell
     vendor_init
     } device:blk_file ~getattr;

   neverallow init device:blk_file ~r_file_perms;

   neverallow recovery device:blk_file ~rw_file_perms;

   neverallow ueventd device:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

   neverallow ~{
     init
     vendor_init
     ueventd
     } device:file *;

   neverallow init device:file ~{ create_file_perms relabelfrom };

   neverallow ueventd device:file ~create_file_perms;

   neverallow vendor_init device:file ~{ read setattr map open getattr };

   neverallow ~{
     init
     vendor_init
     ueventd
     } device:lnk_file ~r_file_perms;

   neverallow { init vendor_init } device:lnk_file ~{ r_file_perms create };

   neverallow ueventd device:lnk_file ~{ r_file_perms create unlink };

   neverallow {
     coredomain
     -apexd
     -cameraserver
     -fastbootd
     -hal_camera
     -init
     -otapreopt_chroot
     -recovery
     -shell
     -slideshow
     -system_server
     -vendor_init
     -vold
     -ueventd
     } device:dir ~{ search getattr };

   neverallow {
     cameraserver
     fastbootd
     hal_camera
     system_server
     shell
     slideshow
     recovery
     } device:dir ~r_dir_perms;

   neverallow init device:dir ~{ create_dir_perms mounton relabelto };

   neverallow vendor_init device:dir ~{ create_dir_perms mounton };

   neverallow vold device:dir ~{ search getattr write };

   neverallow ueventd device:dir ~create_dir_perms;
 ')

 # Do not allow access to the generic socket_device label. This is too broad.
 # Instead, if access to part of socket_device is desired, it should have a
 # more specific label.
 full_treble_only(`
   neverallow * socket_device:{ file sock_file fifo_file } *;

   neverallow ~{
     init
     shell
     ueventd
     vendor_init
     } socket_device:chr_file *;

   neverallow {
     init
     vendor_init
     } socket_device:chr_file ~{ setattr };

   neverallow shell socket_device:chr_file ~{ getattr };

   neverallow ueventd socket_device:chr_file ~{ getattr create setattr unlink };

   neverallow ~{
     apexd
     dumpstate
     e2fs
     fsck
     fsck_untrusted
     init
     recovery
     shell
     ueventd
     vendor_init
     } socket_device:blk_file *;

   neverallow {
     apexd
     dumpstate
     e2fs
     fsck
     fsck_untrusted
     shell
     vendor_init
     } socket_device:blk_file ~getattr;

   neverallow init socket_device:blk_file ~r_file_perms;

   neverallow recovery socket_device:blk_file ~rw_file_perms;

   neverallow ueventd socket_device:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

   neverallow ~{
     init
     ueventd
     vendor_init
     } socket_device:lnk_file ~r_file_perms;

   neverallow {
     init
     vendor_init
     } socket_device:lnk_file ~{ r_file_perms create };

   neverallow ueventd socket_device:lnk_file ~{ r_file_perms create unlink };

   neverallow ~{
     init
     ueventd
     vendor_init
     } socket_device:dir ~r_dir_perms;

   neverallow init socket_device:dir ~{ create_dir_perms relabelto };

   neverallow {
     ueventd
     vendor_init
     } socket_device:dir ~create_dir_perms;

 ')

 # Do not allow access to the generic block_device label. This is too broad.
 # Instead, if access to part of block_device is desired, it should have a
 # more specific label.
 #full_treble_only(`
 #  neverallow * block_device:dir_file_class_set *;
 #')

 # Do not allow access to the generic bootdevice_block_device label. This is
 # too broad.
 # Instead, if access to part of bootdevice_block_device is desired, it should
 # have a more specific label.
 #full_treble_only(`
 #  neverallow * bootdevice_block_device:dir_file_class_set *;
 #')
	# ==============================================
	# MTK Policy Rule
	# ==============================================

	# Rules for all domains.

	# Do not allow access to the generic sysfs label. This is too broad.
	# Instead, if access to part of sysfs is desired, it should have a
	# more specific label.
	full_treble_only(`
	neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *;

	neverallow {
	coredomain
	-apexd
	-init
	-ueventd
	-vold
	} sysfs:file *;

	neverallow {
	init
	ueventd
	vold
	} sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };

	neverallow ~{
	init
	ueventd
	} sysfs:lnk_file ~r_file_perms;

	neverallow {
	init
	ueventd
	} sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto };

	neverallow ~{
	init
	otapreopt_chroot
	ueventd
	vendor_init
	} sysfs:dir ~r_dir_perms;

	neverallow {
	init
	otapreopt_chroot
	ueventd
	vendor_init
	} sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr };
	')


	# Do not allow access to the generic proc label. This is too broad.
	# Instead, if access to part of proc is desired, it should have a
	# more specific label.
	# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
	#
	# r_dir_file(hal_audio, proc)
	# hal_server_domain(mtk_hal_audio, hal_audio)
	# hal_client_domain(audioserver, hal_audio)
	#
	full_treble_only(`
	neverallow * proc:{ chr_file blk_file sock_file fifo_file } *;

	neverallow {
	coredomain
	-audioserver
	-bluetooth
	-init
	-system_server
	-vold
	} proc:file *;

	neverallow {
	audioserver
	bluetooth
	init
	system_server
	vold
	} proc:file ~r_file_perms;

	neverallow vendor_init proc:file ~{ read setattr map open };

	neverallow {
	coredomain
	-audioserver
	-bluetooth
	-init
	-system_server
	} proc:lnk_file ~{ read getattr };

	neverallow {
	audioserver
	bluetooth
	init
	system_server
	} proc:lnk_file ~r_file_perms;

	neverallow ~{
	init
	vendor_init
	} proc:dir ~{ r_file_perms search };

	neverallow {
	init
	vendor_init
	} proc:dir ~{ r_file_perms search setattr };
	')


	# Do not allow access to the generic debugfs label. This is too broad.
	# Instead, if access to part of debugfs is desired, it should have a
	# more specific label.
	full_treble_only(`
	neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *;

	neverallow ~{
	dumpstate
	init
	vendor_init
	} debugfs:file *;

	neverallow dumpstate debugfs:file ~r_file_perms;

	neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto };

	neverallow vendor_init debugfs:file ~{ read setattr open map };

	neverallow ~init debugfs:lnk_file *;

	neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto };

	neverallow ~{
	init
	vendor_init
	} debugfs:dir ~{ search getattr };

	neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto userdebug_or_eng(`mounton') };

	neverallow vendor_init debugfs:dir ~{ search getattr read setattr open };
	')


	# Do not allow access to the generic system_data_file label. This is
	# too broad.
	# Instead, if access to part of system_data_file is desired, it should
	# have a more specific label.
	# TODO: Remove merged_hal_service and so on once there are no violations.
	#
	# allow hal_drm system_data_file:file { getattr read };
	# hal_server_domain(merged_hal_service, hal_drm)
	#
	full_treble_only(`
	neverallow ~{
	init
	installd
	system_server
	} system_data_file:{ chr_file blk_file sock_file fifo_file } *;

	neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };

	neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };

	neverallow installd system_data_file:{ chr_file blk_file } *;

	neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink };

	neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms;

	neverallow {
	coredomain
	-appdomain
	-app_zygote
	-init
	-installd
	-iorap_prefetcherd
	-iorap_inode2filename
	-system_server
	-toolbox
	-vold
	-vold_prepare_subdirs
	with_asan(`-asan_extract')
	} system_data_file:file ~r_file_perms;

	neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };

	neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };

	neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };

	neverallow iorap_inode2filename system_data_file:file ~getattr;

	neverallow iorap_prefetcherd system_data_file:file ~{ open read };

	neverallow {
	mediadrmserver
	mediaextractor
	mediaserver
	} system_data_file:file ~{ read getattr };

	neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };

	neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };

	neverallow vold system_data_file:file ~read;

	with_asan(`
	neverallow asan_extract system_data_file:file ~{ create_file_perms relabelfrom execute };
	')

	neverallow ~{
	appdomain
	app_zygote
	init
	installd
	iorap_prefetcherd
	iorap_inode2filename
	logd
	rs
	runas
	simpleperf_app_runner
	system_server
	tee
	vold
	webview_zygote
	with_asan(`asan_extract')
	zygote
	} system_data_file:lnk_file ~getattr;

	neverallow {
	appdomain
	app_zygote
	logd
	webview_zygote
	} system_data_file:lnk_file ~r_file_perms;

	neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink };

	neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom };

	neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open };

	neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr };

	neverallow rs system_data_file:lnk_file ~{ read };

	neverallow {
	runas
	simpleperf_app_runner
	tee
	} system_data_file:lnk_file ~{ read getattr };

	neverallow system_server system_data_file:lnk_file ~create_file_perms;

	with_asan(`
	neverallow asan_extract system_data_file:lnk_file ~create_file_perms ;
	')

	neverallow ~{
	artd
	apexd
	init
	installd
	iorap_prefetcherd
	iorap_inode2filename
	system_server
	toolbox
	traced_probes
	vold
	vold_prepare_subdirs
	with_asan(`asan_extract')
	zygote
	} system_data_file:dir ~{ search getattr };

	neverallow artd system_data_file:dir ~r_dir_perms;

	neverallow apexd system_data_file:dir ~r_dir_perms;

	neverallow init system_data_file:dir ~{
	create search getattr open read setattr ioctl
	mounton
	relabelto
	write add_name remove_name rmdir relabelfrom
	};

	neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms };

	neverallow {
	iorap_prefetcherd
	iorap_inode2filename
	traced_probes
	} system_data_file:dir ~{ open read search getattr };

	neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms };

	neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms };

	neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir };

	with_asan(`
	neverallow asan_extract system_data_file:dir ~{ create_dir_perms relabelfrom };
	')

	neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto };
	')


	# Do not allow access to the generic vendor_data_file label. This is
	# too broad.
	# Instead, if access to part of vendor_data_file is desired, it should
	# have a more specific label.
	full_treble_only(`
	neverallow ~{
	init
	vendor_init
	} vendor_data_file:file_class_set *;

	neverallow {
	init
	vendor_init
	} vendor_data_file:{ chr_file blk_file } ~{ relabelto };

	neverallow {
	init
	vendor_init
	} vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };

	neverallow {
	init
	vendor_init
	} vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto };

	neverallow {
	init
	vendor_init
	} vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto };

	neverallow ~{
	init
	vendor_init
	vold
	vold_prepare_subdirs
	} vendor_data_file:dir ~{ getattr search };

	neverallow {
	init
	vendor_init
	} vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto };

	neverallow vold vendor_data_file:dir ~create_dir_perms;

	neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom };
	')

	# Do not allow access to the generic app_data_file label. This is too broad.
	# Instead, if access to part of app_data_file is desired, it should have a
	# more specific label.
	#full_treble_only(`
	# neverallow * app_data_file:dir_file_class_set *;
	#')

	# Do not allow access to the generic default_prop label. This is too broad.
	# Instead, if access to part of default_prop is desired, it should have a
	# more specific label.
	#full_treble_only(`
	# neverallow * default_prop:dir_file_class_set *;
	#')

	# Do not allow access to the generic vendor_default_prop label. This is
	# too broad.
	# Instead, if access to part of vendor_default_prop is desired, it should
	# have a more specific label.
	#full_treble_only(`
	# neverallow * vendor_default_prop:dir_file_class_set *;
	#')

	# Do not allow access to the generic device label. This is too broad.
	# Instead, if access to part of device is desired, it should have a
	# more specific label.
	# TODO: Remove hal_camera and so on once there are no violations.
	#
	# allow hal_camera device:dir r_dir_perms;
	# hal_client_domain(cameraserver, hal_camera)
	#
	full_treble_only(`
	neverallow * device:{ sock_file fifo_file } *;

	neverallow ~{
	init
	shell
	ueventd
	vendor_init
	} device:chr_file *;

	neverallow { init vendor_init } device:chr_file ~setattr;

	neverallow shell device:chr_file ~getattr;

	neverallow ueventd device:chr_file ~{ getattr create setattr unlink };

	neverallow ~{
	apexd
	dumpstate
	e2fs
	fsck
	fsck_untrusted
	init
	recovery
	shell
	ueventd
	vendor_init
	} device:blk_file *;

	neverallow {
	dumpstate
	e2fs
	fsck
	fsck_untrusted
	shell
	vendor_init
	} device:blk_file ~getattr;

	neverallow init device:blk_file ~r_file_perms;

	neverallow recovery device:blk_file ~rw_file_perms;

	neverallow ueventd device:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

	neverallow ~{
	init
	vendor_init
	ueventd
	} device:file *;

	neverallow init device:file ~{ create_file_perms relabelfrom };

	neverallow ueventd device:file ~create_file_perms;

	neverallow vendor_init device:file ~{ read setattr map open getattr };

	neverallow ~{
	init
	vendor_init
	ueventd
	} device:lnk_file ~r_file_perms;

	neverallow { init vendor_init } device:lnk_file ~{ r_file_perms create };

	neverallow ueventd device:lnk_file ~{ r_file_perms create unlink };

	neverallow {
	coredomain
	-apexd
	-cameraserver
	-fastbootd
	-hal_camera
	-init
	-otapreopt_chroot
	-recovery
	-shell
	-slideshow
	-system_server
	-vendor_init
	-vold
	-ueventd
	} device:dir ~{ search getattr };

	neverallow {
	cameraserver
	fastbootd
	hal_camera
	system_server
	shell
	slideshow
	recovery
	} device:dir ~r_dir_perms;

	neverallow init device:dir ~{ create_dir_perms mounton relabelto };

	neverallow vendor_init device:dir ~{ create_dir_perms mounton };

	neverallow vold device:dir ~{ search getattr write };

	neverallow ueventd device:dir ~create_dir_perms;
	')

	# Do not allow access to the generic socket_device label. This is too broad.
	# Instead, if access to part of socket_device is desired, it should have a
	# more specific label.
	full_treble_only(`
	neverallow * socket_device:{ file sock_file fifo_file } *;

	neverallow ~{
	init
	shell
	ueventd
	vendor_init
	} socket_device:chr_file *;

	neverallow {
	init
	vendor_init
	} socket_device:chr_file ~{ setattr };

	neverallow shell socket_device:chr_file ~{ getattr };

	neverallow ueventd socket_device:chr_file ~{ getattr create setattr unlink };

	neverallow ~{
	apexd
	dumpstate
	e2fs
	fsck
	fsck_untrusted
	init
	recovery
	shell
	ueventd
	vendor_init
	} socket_device:blk_file *;

	neverallow {
	apexd
	dumpstate
	e2fs
	fsck
	fsck_untrusted
	shell
	vendor_init
	} socket_device:blk_file ~getattr;

	neverallow init socket_device:blk_file ~r_file_perms;

	neverallow recovery socket_device:blk_file ~rw_file_perms;

	neverallow ueventd socket_device:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };

	neverallow ~{
	init
	ueventd
	vendor_init
	} socket_device:lnk_file ~r_file_perms;

	neverallow {
	init
	vendor_init
	} socket_device:lnk_file ~{ r_file_perms create };

	neverallow ueventd socket_device:lnk_file ~{ r_file_perms create unlink };

	neverallow ~{
	init
	ueventd
	vendor_init
	} socket_device:dir ~r_dir_perms;

	neverallow init socket_device:dir ~{ create_dir_perms relabelto };

	neverallow {
	ueventd
	vendor_init
	} socket_device:dir ~create_dir_perms;

	')

	# Do not allow access to the generic block_device label. This is too broad.
	# Instead, if access to part of block_device is desired, it should have a
	# more specific label.
	#full_treble_only(`
	# neverallow * block_device:dir_file_class_set *;
	#')

	# Do not allow access to the generic bootdevice_block_device label. This is
	# too broad.
	# Instead, if access to part of bootdevice_block_device is desired, it should
	# have a more specific label.
	#full_treble_only(`
	# neverallow * bootdevice_block_device:dir_file_class_set *;
	#')