Update prebuilts to fix sepolicy_freeze_test am: 5de1b2096d am: c84be7da03 am: 96b242efa2
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2199642
Change-Id: I8e2b7d566aaa440d563e0166542a3707d9f619ec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/Android.bp b/Android.bp
index 8e2a966..4028215 100644
--- a/Android.bp
+++ b/Android.bp
@@ -44,156 +44,6 @@
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
-se_filegroup {
- name: "28.0.board.compat.map",
- srcs: [
- "compat/28.0/28.0.cil",
- ],
-}
-
-se_filegroup {
- name: "29.0.board.compat.map",
- srcs: [
- "compat/29.0/29.0.cil",
- ],
-}
-
-se_filegroup {
- name: "30.0.board.compat.map",
- srcs: [
- "compat/30.0/30.0.cil",
- ],
-}
-
-se_filegroup {
- name: "31.0.board.compat.map",
- srcs: [
- "compat/31.0/31.0.cil",
- ],
-}
-
-se_filegroup {
- name: "32.0.board.compat.map",
- srcs: [
- "compat/32.0/32.0.cil",
- ],
-}
-
-se_filegroup {
- name: "28.0.board.compat.cil",
- srcs: [
- "compat/28.0/28.0.compat.cil",
- ],
-}
-
-se_filegroup {
- name: "29.0.board.compat.cil",
- srcs: [
- "compat/29.0/29.0.compat.cil",
- ],
-}
-
-se_filegroup {
- name: "30.0.board.compat.cil",
- srcs: [
- "compat/30.0/30.0.compat.cil",
- ],
-}
-
-se_filegroup {
- name: "31.0.board.compat.cil",
- srcs: [
- "compat/31.0/31.0.compat.cil",
- ],
-}
-
-se_filegroup {
- name: "32.0.board.compat.cil",
- srcs: [
- "compat/32.0/32.0.compat.cil",
- ],
-}
-
-se_filegroup {
- name: "28.0.board.ignore.map",
- srcs: [
- "compat/28.0/28.0.ignore.cil",
- ],
-}
-
-se_filegroup {
- name: "29.0.board.ignore.map",
- srcs: [
- "compat/29.0/29.0.ignore.cil",
- ],
-}
-
-se_filegroup {
- name: "30.0.board.ignore.map",
- srcs: [
- "compat/30.0/30.0.ignore.cil",
- ],
-}
-
-se_filegroup {
- name: "31.0.board.ignore.map",
- srcs: [
- "compat/31.0/31.0.ignore.cil",
- ],
-}
-
-se_filegroup {
- name: "32.0.board.ignore.map",
- srcs: [
- "compat/32.0/32.0.ignore.cil",
- ],
-}
-
-se_build_files {
- name: "file_contexts_files",
- srcs: ["file_contexts"],
-}
-
-se_build_files {
- name: "file_contexts_asan_files",
- srcs: ["file_contexts_asan"],
-}
-
-se_build_files {
- name: "file_contexts_overlayfs_files",
- srcs: ["file_contexts_overlayfs"],
-}
-
-se_build_files {
- name: "hwservice_contexts_files",
- srcs: ["hwservice_contexts"],
-}
-
-se_build_files {
- name: "property_contexts_files",
- srcs: ["property_contexts"],
-}
-
-se_build_files {
- name: "service_contexts_files",
- srcs: ["service_contexts"],
-}
-
-se_build_files {
- name: "keystore2_key_contexts_files",
- srcs: ["keystore2_key_contexts"],
-}
-
-se_build_files {
- name: "seapp_contexts_files",
- srcs: ["seapp_contexts"],
-}
-
-se_build_files {
- name: "vndservice_contexts_files",
- srcs: ["vndservice_contexts"],
-}
-
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
@@ -367,6 +217,22 @@
stem: "apex_sepolicy.cil",
}
+se_policy_cil {
+ name: "decompiled_sepolicy-without_apex.cil",
+ src: ":precompiled_sepolicy-without_apex",
+ decompile_binary: true,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-33.decompiled.cil",
+ src: ":precompiled_sepolicy",
+ decompile_binary: true,
+ filter_out: [":decompiled_sepolicy-without_apex.cil"],
+ additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
+ secilc_check: false,
+ stem: "apex_sepolicy.decompiled.cil",
+}
+
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
@@ -875,6 +741,50 @@
},
}
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy-without_apex",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ],
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ IS_TARGET_MIXED_SEPOLICY: {
+ ignore_neverallow: true,
+ },
+ MIXED_SEPOLICY_VERSION: {
+ srcs: [
+ ":plat_%s.cil",
+ ":system_ext_%s.cil",
+ ":product_%s.cil",
+ ],
+ conditions_default: {
+ srcs: [
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ },
+ },
+ },
+ required: [
+ "sepolicy_neverallows",
+ "sepolicy_neverallows_vendor",
+ ],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
@@ -1055,27 +965,27 @@
}
// bug_map - Bug tracking information for selinux denials loaded by auditd.
-se_filegroup {
+se_build_files {
name: "bug_map_files",
srcs: ["bug_map"],
}
se_bug_map {
name: "plat_bug_map",
- srcs: [":bug_map_files"],
+ srcs: [":bug_map_files{.plat_private}"],
stem: "bug_map",
}
se_bug_map {
name: "system_ext_bug_map",
- srcs: [":bug_map_files"],
+ srcs: [":bug_map_files{.system_ext_private}"],
stem: "bug_map",
system_ext_specific: true,
}
se_bug_map {
name: "vendor_bug_map",
- srcs: [":bug_map_files"],
+ srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"],
// Legacy file name of the vendor partition bug_map.
stem: "selinux_denial_metadata",
vendor: true,
diff --git a/Android.mk b/Android.mk
index 8fd90b0..8f0b37c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -54,15 +54,7 @@
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
-ifneq (,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
- # TODO: Disallow BOARD_PLAT_*
- SYSTEM_EXT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-endif
SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
-ifneq (,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
- # TODO: Disallow BOARD_PLAT_*
- SYSTEM_EXT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
-endif
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
@@ -332,6 +324,7 @@
plat_service_contexts_test \
plat_hwservice_contexts \
plat_hwservice_contexts_test \
+ fuzzer_bindings_test \
plat_bug_map \
searchpolicy \
@@ -485,6 +478,7 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -668,7 +662,6 @@
file_contexts.modules.tmp :=
##################################
-include $(LOCAL_PATH)/mac_permissions.mk
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
diff --git a/TEST_MAPPING b/TEST_MAPPING
index cf99902..efcdb36 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -11,8 +11,10 @@
},
{
"include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
+ },
+ {
+ "include-filter": "android.security.cts.SeamendcHostTest"
}
-
]
},
{
diff --git a/apex/Android.bp b/apex/Android.bp
index dda949f..8c9db86 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -265,3 +265,10 @@
"com.android.ondevicepersonalization-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.healthconnect-file_contexts",
+ srcs: [
+ "com.android.healthconnect-file_contexts",
+ ],
+}
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 2533cac..f1aa92b 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -1,10 +1,11 @@
#############################
# System files
#
-(/.*)? u:object_r:system_file:s0
-/bin/artd u:object_r:artd_exec:s0
-/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
-/bin/odrefresh u:object_r:odrefresh_exec:s0
-/bin/profman u:object_r:profman_exec:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/art_exec u:object_r:art_exec_exec:s0
+/bin/artd u:object_r:artd_exec:s0
+/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
+/bin/profman u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index a0e9ea0..cc60b70 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -2,6 +2,8 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/art_exec u:object_r:art_exec_exec:s0
+/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
diff --git a/apex/com.android.healthconnect-file_contexts b/apex/com.android.healthconnect-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.healthconnect-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 8518d4d..83b31b4 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -35,7 +35,7 @@
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
- "filegroup.go",
+ "mac_permissions.go",
"policy.go",
"selinux.go",
"selinux_contexts.go",
@@ -43,6 +43,8 @@
"sepolicy_neverallow.go",
"sepolicy_vers.go",
"versioned_policy.go",
+ "service_fuzzer_bindings.go",
+ "validate_bindings.go",
],
pluginFor: ["soong_build"],
}
diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go
index 00df33c..e24a21b 100644
--- a/build/soong/bug_map.go
+++ b/build/soong/bug_map.go
@@ -40,7 +40,7 @@
}
type bugMapProperties struct {
- // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+ // List of source files or se_build_files modules.
Srcs []string `android:"path"`
// Output file name. Defaults to module name if unspecified.
@@ -52,31 +52,7 @@
}
func (b *bugMap) expandSeSources(ctx android.ModuleContext) android.Paths {
- srcPaths := make(android.Paths, 0, len(b.properties.Srcs))
- for _, src := range b.properties.Srcs {
- if m := android.SrcIsModule(src); m != "" {
- module := android.GetModuleFromPathDep(ctx, m, "")
- if module == nil {
- // Error would have been handled by ExtractSourcesDeps
- continue
- }
- if fg, ok := module.(*fileGroup); ok {
- if b.SocSpecific() {
- srcPaths = append(srcPaths, fg.VendorSrcs()...)
- srcPaths = append(srcPaths, fg.SystemVendorSrcs()...)
- } else if b.SystemExtSpecific() {
- srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
- } else {
- srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
- }
- } else {
- ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
- }
- } else {
- srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
- }
- }
- return android.FirstUniquePaths(srcPaths)
+ return android.PathsForModuleSrc(ctx, b.properties.Srcs)
}
func (b *bugMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 6cc40c6..383a282 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -92,10 +92,10 @@
func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
b.srcs = make(map[string]android.Paths)
- b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
- b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))
- b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))
- b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
+ b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "reqd_mask"))
+ b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "public"))
+ b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "private"))
+ b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "vendor"))
b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)
b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)
b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)
@@ -117,8 +117,8 @@
// use vendor-supplied plat prebuilts
b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
- b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
- b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
+ b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
+ b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
@@ -127,8 +127,8 @@
// directories used for compat tests and Treble tests
for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
- b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
- b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
+ b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))
+ b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "private"))
b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
b.srcs[".system_ext_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
b.srcs[".product_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 78e870e..c9daf7c 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -59,7 +59,7 @@
// se_cil_compat_map module representing a compatibility mapping file for
// platform versions (x->y). Bottom half represents a mapping (y->z).
// Together the halves are used to generate a (x->z) mapping.
- Top_half *string
+ Top_half *string `android:"path"`
// list of source (.cil) files used to build an the bottom half of sepolicy
// compatibility mapping file. bottom_half may reference the outputs of
// other modules that produce source files like genrule or filegroup using
@@ -94,31 +94,7 @@
}
func expandSeSources(ctx android.ModuleContext, srcFiles []string) android.Paths {
- expandedSrcFiles := make(android.Paths, 0, len(srcFiles))
- for _, s := range srcFiles {
- if m := android.SrcIsModule(s); m != "" {
- module := android.GetModuleFromPathDep(ctx, m, "")
- if module == nil {
- // Error will have been handled by ExtractSourcesDeps
- continue
- }
- if fg, ok := module.(*fileGroup); ok {
- if ctx.ProductSpecific() {
- expandedSrcFiles = append(expandedSrcFiles, fg.ProductPrivateSrcs()...)
- } else if ctx.SystemExtSpecific() {
- expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
- } else {
- expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
- }
- } else {
- ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup", m)
- }
- } else {
- p := android.PathForModuleSrc(ctx, s)
- expandedSrcFiles = append(expandedSrcFiles, p)
- }
- }
- return expandedSrcFiles
+ return android.PathsForModuleSrc(ctx, srcFiles)
}
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index e7b3af2..afd2396 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -48,7 +48,7 @@
}
type compatCilProperties struct {
- // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+ // List of source files. Can reference se_build_files type modules with the ":module" syntax.
Srcs []string `android:"path"`
// Output file name. Defaults to module name if unspecified.
@@ -60,28 +60,7 @@
}
func (c *compatCil) expandSeSources(ctx android.ModuleContext) android.Paths {
- srcPaths := make(android.Paths, 0, len(c.properties.Srcs))
- for _, src := range c.properties.Srcs {
- if m := android.SrcIsModule(src); m != "" {
- module := android.GetModuleFromPathDep(ctx, m, "")
- if module == nil {
- // Error would have been handled by ExtractSourcesDeps
- continue
- }
- if fg, ok := module.(*fileGroup); ok {
- if c.SystemExtSpecific() {
- srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
- } else {
- srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
- }
- } else {
- ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
- }
- } else {
- srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
- }
- }
- return srcPaths
+ return android.PathsForModuleSrc(ctx, c.properties.Srcs)
}
func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
deleted file mode 100644
index 9dd4bd9..0000000
--- a/build/soong/filegroup.go
+++ /dev/null
@@ -1,156 +0,0 @@
-// Copyright 2018 Google Inc. All rights reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
- "android/soong/android"
- "path/filepath"
-)
-
-func init() {
- android.RegisterModuleType("se_filegroup", FileGroupFactory)
-}
-
-func FileGroupFactory() android.Module {
- module := &fileGroup{}
- module.AddProperties(&module.properties)
- android.InitAndroidModule(module)
- return module
-}
-
-type fileGroupProperties struct {
- // list of source file suffixes used to collect selinux policy files.
- // Source files will be looked up in the following local directories:
- // system/sepolicy/{public, private, vendor, reqd_mask}
- // and directories specified by following config variables:
- // BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
- Srcs []string
-}
-
-type fileGroup struct {
- android.ModuleBase
- properties fileGroupProperties
-
- systemPublicSrcs android.Paths
- systemPrivateSrcs android.Paths
- systemVendorSrcs android.Paths
- systemReqdMaskSrcs android.Paths
-
- systemExtPublicSrcs android.Paths
- systemExtPrivateSrcs android.Paths
-
- productPublicSrcs android.Paths
- productPrivateSrcs android.Paths
-
- vendorSrcs android.Paths
- vendorReqdMaskSrcs android.Paths
- odmSrcs android.Paths
-}
-
-// Source files from system/sepolicy/public
-func (fg *fileGroup) SystemPublicSrcs() android.Paths {
- return fg.systemPublicSrcs
-}
-
-// Source files from system/sepolicy/private
-func (fg *fileGroup) SystemPrivateSrcs() android.Paths {
- return fg.systemPrivateSrcs
-}
-
-// Source files from system/sepolicy/vendor
-func (fg *fileGroup) SystemVendorSrcs() android.Paths {
- return fg.systemVendorSrcs
-}
-
-// Source files from system/sepolicy/reqd_mask
-func (fg *fileGroup) SystemReqdMaskSrcs() android.Paths {
- return fg.systemReqdMaskSrcs
-}
-
-// Source files from SYSTEM_EXT_PUBLIC_SEPOLICY_DIR
-func (fg *fileGroup) SystemExtPublicSrcs() android.Paths {
- return fg.systemExtPublicSrcs
-}
-
-// Source files from SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
-func (fg *fileGroup) SystemExtPrivateSrcs() android.Paths {
- return fg.systemExtPrivateSrcs
-}
-
-// Source files from PRODUCT_PUBLIC_SEPOLICY_DIRS
-func (fg *fileGroup) ProductPublicSrcs() android.Paths {
- return fg.productPublicSrcs
-}
-
-// Source files from PRODUCT_PRIVATE_SEPOLICY_DIRS
-func (fg *fileGroup) ProductPrivateSrcs() android.Paths {
- return fg.productPrivateSrcs
-}
-
-// Source files from BOARD_VENDOR_SEPOLICY_DIRS
-func (fg *fileGroup) VendorSrcs() android.Paths {
- return fg.vendorSrcs
-}
-
-func (fg *fileGroup) VendorReqdMaskSrcs() android.Paths {
- return fg.vendorReqdMaskSrcs
-}
-
-// Source files from BOARD_ODM_SEPOLICY_DIRS
-func (fg *fileGroup) OdmSrcs() android.Paths {
- return fg.odmSrcs
-}
-
-func (fg *fileGroup) findSrcsInDirs(ctx android.ModuleContext, dirs []string) android.Paths {
- result := android.Paths{}
- for _, f := range fg.properties.Srcs {
- for _, d := range dirs {
- path := filepath.Join(d, f)
- files, _ := ctx.GlobWithDeps(path, nil)
- for _, f := range files {
- result = append(result, android.PathForSource(ctx, f))
- }
- }
- }
- return result
-}
-
-func (fg *fileGroup) findSrcsInDir(ctx android.ModuleContext, dir string) android.Paths {
- return fg.findSrcsInDirs(ctx, []string{dir})
-}
-
-func (fg *fileGroup) DepsMutator(ctx android.BottomUpMutatorContext) {}
-
-func (fg *fileGroup) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- fg.systemPublicSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "public"))
- fg.systemPrivateSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "private"))
- fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
-
- fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs())
- fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs())
-
- fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
- fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
-
- systemVendorDirs := ctx.DeviceConfig().BoardPlatVendorPolicy()
- if len(systemVendorDirs) == 0 || ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
- systemVendorDirs = []string{filepath.Join(ctx.ModuleDir(), "vendor")}
- }
- fg.systemVendorSrcs = fg.findSrcsInDirs(ctx, systemVendorDirs)
- fg.vendorReqdMaskSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy())
- fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs())
- fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs())
-}
diff --git a/build/soong/go.mod b/build/soong/go.mod
new file mode 100644
index 0000000..37bc985
--- /dev/null
+++ b/build/soong/go.mod
@@ -0,0 +1,23 @@
+module android/soong/sepolicy
+
+require (
+ android/soong v0.0.0
+ github.com/google/blueprint v0.0.0
+ golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
+)
+
+replace android/soong v0.0.0 => ../../../../build/soong
+
+replace google.golang.org/protobuf v0.0.0 => ../../../../external/golang-protobuf
+
+replace github.com/google/blueprint v0.0.0 => ../../../../build/blueprint
+
+// Indirect deps from golang-protobuf
+exclude github.com/golang/protobuf v1.5.0
+
+replace github.com/google/go-cmp v0.5.5 => ../../../../external/go-cmp
+
+// Indirect dep from go-cmp
+exclude golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
+
+go 1.13
diff --git a/build/soong/go.sum b/build/soong/go.sum
new file mode 100644
index 0000000..cbe76d9
--- /dev/null
+++ b/build/soong/go.sum
@@ -0,0 +1,2 @@
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0=
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
diff --git a/build/soong/mac_permissions.go b/build/soong/mac_permissions.go
new file mode 100644
index 0000000..9615d12
--- /dev/null
+++ b/build/soong/mac_permissions.go
@@ -0,0 +1,144 @@
+// Copyright (C) 2019 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "io"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+var (
+ // Should be synced with keys.conf.
+ AllPlatformKeys = []string{
+ "platform",
+ "sdk_sandbox",
+ "media",
+ "networkstack",
+ "shared",
+ "testkey",
+ "bluetooth",
+ }
+)
+
+type macPermissionsProperties struct {
+ // keys.conf files to control the mapping of "tags" found in the mac_permissions.xml files.
+ Keys []string `android:"path"`
+
+ // Source files for the generated mac_permissions.xml file.
+ Srcs []string `android:"path"`
+
+ // Output file name. Defaults to module name
+ Stem *string
+}
+
+type macPermissionsModule struct {
+ android.ModuleBase
+
+ properties macPermissionsProperties
+ outputPath android.ModuleOutPath
+ installPath android.InstallPath
+}
+
+func init() {
+ android.RegisterModuleType("mac_permissions", macPermissionsFactory)
+}
+
+func getAllPlatformKeyPaths(ctx android.ModuleContext) android.Paths {
+ var platformKeys android.Paths
+
+ defaultCertificateDir := ctx.Config().DefaultAppCertificateDir(ctx)
+ for _, key := range AllPlatformKeys {
+ platformKeys = append(platformKeys, defaultCertificateDir.Join(ctx, key+".x509.pem"))
+ }
+
+ return platformKeys
+}
+
+func (m *macPermissionsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (m *macPermissionsModule) stem() string {
+ return proptools.StringDefault(m.properties.Stem, m.Name())
+}
+
+func buildVariant(ctx android.ModuleContext) string {
+ if ctx.Config().Eng() {
+ return "eng"
+ }
+ if ctx.Config().Debuggable() {
+ return "userdebug"
+ }
+ return "user"
+}
+
+func (m *macPermissionsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ platformKeys := getAllPlatformKeyPaths(ctx)
+ keys := android.PathsForModuleSrc(ctx, m.properties.Keys)
+ srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
+
+ m4Keys := android.PathForModuleGen(ctx, "mac_perms_keys.tmp")
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().
+ Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+ Text("--fatal-warnings -s").
+ FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Inputs(keys).
+ FlagWithOutput("> ", m4Keys).
+ Implicits(platformKeys)
+
+ m.outputPath = android.PathForModuleOut(ctx, m.stem())
+ rule.Command().Text("DEFAULT_SYSTEM_DEV_CERTIFICATE="+ctx.Config().DefaultAppCertificateDir(ctx).String()).
+ Text("MAINLINE_SEPOLICY_DEV_CERTIFICATES="+ctx.Config().MainlineSepolicyDevCertificatesDir(ctx).String()).
+ BuiltTool("insertkeys").
+ FlagWithArg("-t ", buildVariant(ctx)).
+ Input(m4Keys).
+ FlagWithOutput("-o ", m.outputPath).
+ Inputs(srcs)
+
+ rule.Build("mac_permission", "build "+m.Name())
+
+ m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
+}
+
+func (m *macPermissionsModule) AndroidMk() android.AndroidMkData {
+ return android.AndroidMkData{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(m.outputPath),
+ Extra: []android.AndroidMkExtraFunc{
+ func(w io.Writer, outputFile android.Path) {
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.String())
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.stem())
+ },
+ },
+ }
+}
+
+// mac_permissions module generates a mac_permissions.xml file from given keys.conf and
+// source files. The following variables are supported for keys.conf files.
+//
+// DEFAULT_SYSTEM_DEV_CERTIFICATE
+// MAINLINE_SEPOLICY_DEV_CERTIFICATES
+func macPermissionsFactory() android.Module {
+ m := &macPermissionsModule{}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index b1840da..4161bb3 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -45,10 +45,9 @@
"mls",
"policy_capabilities",
"te_macros",
- "attributes",
"ioctl_defines",
"ioctl_macros",
- "*.te",
+ "attributes|*.te",
"roles_decl",
"roles",
"users",
@@ -198,7 +197,10 @@
func findPolicyConfOrder(name string) int {
for idx, pattern := range policyConfOrder {
- if pattern == name || (pattern == "*.te" && strings.HasSuffix(name, ".te")) {
+ // We could use regexp but it seems like an overkill
+ if pattern == "attributes|*.te" && (name == "attributes" || strings.HasSuffix(name, ".te")) {
+ return idx
+ } else if pattern == name {
return idx
}
}
@@ -285,6 +287,10 @@
// Policy file to be compiled to cil file.
Src *string `android:"path"`
+ // If true, the input policy file is a binary policy that will be decompiled to a cil file.
+ // Defaults to false.
+ Decompile_binary *bool
+
// Additional cil files to be added in the end of the output. This is to support workarounds
// which are not supported by the policy language.
Additional_cil_files []string `android:"path"`
@@ -336,17 +342,15 @@
func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool("checkpolicy").
+ checkpolicyCmd := rule.Command().BuiltTool("checkpolicy").
Flag("-C"). // Write CIL
Flag("-M"). // Enable MLS
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
FlagWithOutput("-o ", cil).
Input(conf)
- if len(c.properties.Additional_cil_files) > 0 {
- rule.Command().Text("cat").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
- Text(">> ").Output(cil)
+ if proptools.Bool(c.properties.Decompile_binary) {
+ checkpolicyCmd.Flag("-b") // Read binary
}
if len(c.properties.Filter_out) > 0 {
@@ -357,6 +361,12 @@
FlagWithOutput("-t ", cil)
}
+ if len(c.properties.Additional_cil_files) > 0 {
+ rule.Command().Text("cat").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+ Text(">> ").Output(cil)
+ }
+
if proptools.Bool(c.properties.Remove_line_marker) {
rule.Command().Text("grep -v").
Text(proptools.ShellEscape(";;")).
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
new file mode 100644
index 0000000..7a7f61f
--- /dev/null
+++ b/build/soong/service_fuzzer_bindings.go
@@ -0,0 +1,406 @@
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+var (
+ ServiceFuzzerBindings = map[string][]string{
+ "android.hardware.audio.core.IConfig/default": []string{},
+ "android.hardware.audio.core.IModule/default": []string{},
+ "android.hardware.audio.effect.IFactory/default": []string{},
+ "android.hardware.authsecret.IAuthSecret/default": []string{},
+ "android.hardware.automotive.evs.IEvsEnumerator/hw/0": []string{},
+ "android.hardware.boot.IBootControl/default": []string{},
+ "android.hardware.automotive.evs.IEvsEnumerator/hw/1": []string{},
+ "android.hardware.automotive.vehicle.IVehicle/default": []string{},
+ "android.hardware.automotive.audiocontrol.IAudioControl/default": []string{},
+ "android.hardware.biometrics.face.IFace/default": []string{},
+ "android.hardware.biometrics.fingerprint.IFingerprint/default": []string{},
+ "android.hardware.biometrics.fingerprint.IFingerprint/virtual": []string{},
+ "android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": []string{},
+ "android.hardware.camera.provider.ICameraProvider/internal/0": []string{},
+ "android.hardware.contexthub.IContextHub/default": []string{},
+ "android.hardware.drm.IDrmFactory/clearkey": []string{},
+ "android.hardware.drm.ICryptoFactory/clearkey": []string{},
+ "android.hardware.dumpstate.IDumpstateDevice/default": []string{},
+ "android.hardware.gnss.IGnss/default": []string{},
+ "android.hardware.graphics.allocator.IAllocator/default": []string{},
+ "android.hardware.graphics.composer3.IComposer/default": []string{},
+ "android.hardware.health.storage.IStorage/default": []string{},
+ "android.hardware.health.IHealth/default": []string{},
+ "android.hardware.identity.IIdentityCredentialStore/default": []string{},
+ "android.hardware.input.processor.IInputProcessor/default": []string{},
+ "android.hardware.ir.IConsumerIr/default": []string{},
+ "android.hardware.light.ILights/default": []string{},
+ "android.hardware.memtrack.IMemtrack/default": []string{},
+ "android.hardware.net.nlinterceptor.IInterceptor/default": []string{},
+ "android.hardware.nfc.INfc/default": []string{},
+ "android.hardware.oemlock.IOemLock/default": []string{},
+ "android.hardware.power.IPower/default": []string{},
+ "android.hardware.power.stats.IPowerStats/default": []string{},
+ "android.hardware.radio.config.IRadioConfig/default": []string{},
+ "android.hardware.radio.data.IRadioData/slot1": []string{},
+ "android.hardware.radio.data.IRadioData/slot2": []string{},
+ "android.hardware.radio.data.IRadioData/slot3": []string{},
+ "android.hardware.radio.messaging.IRadioMessaging/slot1": []string{},
+ "android.hardware.radio.messaging.IRadioMessaging/slot2": []string{},
+ "android.hardware.radio.messaging.IRadioMessaging/slot3": []string{},
+ "android.hardware.radio.modem.IRadioModem/slot1": []string{},
+ "android.hardware.radio.modem.IRadioModem/slot2": []string{},
+ "android.hardware.radio.modem.IRadioModem/slot3": []string{},
+ "android.hardware.radio.network.IRadioNetwork/slot1": []string{},
+ "android.hardware.radio.network.IRadioNetwork/slot2": []string{},
+ "android.hardware.radio.network.IRadioNetwork/slot3": []string{},
+ "android.hardware.radio.sim.IRadioSim/slot1": []string{},
+ "android.hardware.radio.sim.IRadioSim/slot2": []string{},
+ "android.hardware.radio.sim.IRadioSim/slot3": []string{},
+ "android.hardware.radio.voice.IRadioVoice/slot1": []string{},
+ "android.hardware.radio.voice.IRadioVoice/slot2": []string{},
+ "android.hardware.radio.voice.IRadioVoice/slot3": []string{},
+ "android.hardware.rebootescrow.IRebootEscrow/default": []string{},
+ "android.hardware.security.dice.IDiceDevice/default": []string{},
+ "android.hardware.security.keymint.IKeyMintDevice/default": []string{},
+ "android.hardware.security.keymint.IRemotelyProvisionedComponent/default": []string{},
+ "android.hardware.security.secureclock.ISecureClock/default": []string{},
+ "android.hardware.security.sharedsecret.ISharedSecret/default": []string{},
+ "android.hardware.sensors.ISensors/default": []string{},
+ "android.hardware.soundtrigger3.ISoundTriggerHw/default": []string{},
+ "android.hardware.tv.input.ITvInput/default": []string{},
+ "android.hardware.tv.tuner.ITuner/default": []string{},
+ "android.hardware.usb.IUsb/default": []string{},
+ "android.hardware.uwb.IUwb/default": []string{},
+ "android.hardware.vibrator.IVibrator/default": []string{},
+ "android.hardware.vibrator.IVibratorManager/default": []string{},
+ "android.hardware.weaver.IWeaver/default": []string{},
+ "android.hardware.wifi.hostapd.IHostapd/default": []string{},
+ "android.hardware.wifi.supplicant.ISupplicant/default": []string{},
+ "android.frameworks.stats.IStats/default": []string{},
+ "android.se.omapi.ISecureElementService/default": []string{},
+ "android.system.keystore2.IKeystoreService/default": []string{},
+ "android.system.net.netd.INetd/default": []string{},
+ "android.system.suspend.ISystemSuspend/default": []string{},
+ "accessibility": []string{},
+ "account": []string{},
+ "activity": []string{},
+ "activity_task": []string{},
+ "adb": []string{},
+ "adservices_manager": []string{},
+ "aidl_lazy_test_1": []string{},
+ "aidl_lazy_test_2": []string{},
+ "aidl_lazy_cb_test": []string{},
+ "alarm": []string{},
+ "android.hardware.automotive.evs.IEvsEnumerator/default": []string{},
+ "android.os.UpdateEngineService": []string{},
+ "android.os.UpdateEngineStableService": []string{},
+ "android.frameworks.automotive.display.ICarDisplayProxy/default": []string{},
+ "android.security.apc": []string{},
+ "android.security.authorization": []string{},
+ "android.security.compat": []string{},
+ "android.security.dice.IDiceMaintenance": []string{},
+ "android.security.dice.IDiceNode": []string{},
+ "android.security.identity": []string{},
+ "android.security.keystore": []string{},
+ "android.security.legacykeystore": []string{},
+ "android.security.maintenance": []string{},
+ "android.security.metrics": []string{},
+ "android.security.remoteprovisioning": []string{},
+ "android.security.remoteprovisioning.IRemotelyProvisionedKeyPool": []string{},
+ "android.service.gatekeeper.IGateKeeperService": []string{},
+ "android.system.composd": []string{},
+ "android.system.virtualizationservice": []string{},
+ "ambient_context": []string{},
+ "app_binding": []string{},
+ "app_hibernation": []string{},
+ "app_integrity": []string{},
+ "app_prediction": []string{},
+ "app_search": []string{},
+ "apexservice": []string{},
+ "attestation_verification": []string{},
+ "blob_store": []string{},
+ "gsiservice": []string{},
+ "appops": []string{},
+ "appwidget": []string{},
+ "artd": []string{},
+ "assetatlas": []string{},
+ "attention": []string{},
+ "audio": []string{},
+ "auth": []string{},
+ "autofill": []string{},
+ "backup": []string{},
+ "batteryproperties": []string{},
+ "batterystats": []string{},
+ "battery": []string{},
+ "binder_calls_stats": []string{},
+ "biometric": []string{},
+ "bluetooth_manager": []string{},
+ "bluetooth": []string{},
+ "broadcastradio": []string{},
+ "bugreport": []string{},
+ "cacheinfo": []string{},
+ "carrier_config": []string{},
+ "clipboard": []string{},
+ "cloudsearch": []string{},
+ "cloudsearch_service": []string{},
+ "com.android.net.IProxyService": []string{},
+ "companiondevice": []string{},
+ "communal": []string{},
+ "platform_compat": []string{},
+ "platform_compat_native": []string{},
+ "connectivity": []string{},
+ "connectivity_native": []string{},
+ "connmetrics": []string{},
+ "consumer_ir": []string{},
+ "content": []string{},
+ "content_capture": []string{},
+ "content_suggestions": []string{},
+ "contexthub": []string{},
+ "country_detector": []string{},
+ "coverage": []string{},
+ "cpuinfo": []string{},
+ "crossprofileapps": []string{},
+ "dataloader_manager": []string{},
+ "dbinfo": []string{},
+ "device_config": []string{},
+ "device_policy": []string{},
+ "device_identifiers": []string{},
+ "deviceidle": []string{},
+ "device_state": []string{},
+ "devicestoragemonitor": []string{},
+ "diskstats": []string{},
+ "display": []string{},
+ "dnsresolver": []string{},
+ "domain_verification": []string{},
+ "color_display": []string{},
+ "netd_listener": []string{},
+ "network_watchlist": []string{},
+ "DockObserver": []string{},
+ "dreams": []string{},
+ "drm.drmManager": []string{},
+ "dropbox": []string{},
+ "dumpstate": []string{},
+ "dynamic_system": []string{},
+ "econtroller": []string{},
+ "emergency_affordance": []string{},
+ "euicc_card_controller": []string{},
+ "external_vibrator_service": []string{},
+ "ethernet": []string{},
+ "face": []string{},
+ "file_integrity": []string{},
+ "fingerprint": []string{},
+ "font": []string{},
+ "android.hardware.fingerprint.IFingerprintDaemon": []string{},
+ "game": []string{},
+ "gfxinfo": []string{},
+ "gnss_time_update_service": []string{},
+ "graphicsstats": []string{},
+ "gpu": []string{},
+ "hardware": []string{},
+ "hardware_properties": []string{},
+ "hdmi_control": []string{},
+ "ions": []string{},
+ "idmap": []string{},
+ "incident": []string{},
+ "incidentcompanion": []string{},
+ "inputflinger": []string{},
+ "input_method": []string{},
+ "input": []string{},
+ "installd": []string{},
+ "iphonesubinfo_msim": []string{},
+ "iphonesubinfo2": []string{},
+ "iphonesubinfo": []string{},
+ "ims": []string{},
+ "imms": []string{},
+ "incremental": []string{},
+ "ipsec": []string{},
+ "ircsmessage": []string{},
+ "iris": []string{},
+ "isms_msim": []string{},
+ "isms2": []string{},
+ "isms": []string{},
+ "isub": []string{},
+ "jobscheduler": []string{},
+ "launcherapps": []string{},
+ "legacy_permission": []string{},
+ "lights": []string{},
+ "locale": []string{},
+ "location": []string{},
+ "location_time_zone_manager": []string{},
+ "lock_settings": []string{},
+ "logcat": []string{},
+ "logd": []string{},
+ "looper_stats": []string{},
+ "lpdump_service": []string{},
+ "mdns": []string{},
+ "media.aaudio": []string{},
+ "media.audio_flinger": []string{},
+ "media.audio_policy": []string{},
+ "media.camera": []string{},
+ "media.camera.proxy": []string{},
+ "media.log": []string{},
+ "media.player": []string{},
+ "media.metrics": []string{},
+ "media.extractor": []string{},
+ "media.transcoding": []string{},
+ "media.resource_manager": []string{},
+ "media.resource_observer": []string{},
+ "media.sound_trigger_hw": []string{},
+ "media.drm": []string{},
+ "media.tuner": []string{},
+ "media_communication": []string{},
+ "media_metrics": []string{},
+ "media_projection": []string{},
+ "media_resource_monitor": []string{},
+ "media_router": []string{},
+ "media_session": []string{},
+ "meminfo": []string{},
+ "memtrack.proxy": []string{},
+ "midi": []string{},
+ "mount": []string{},
+ "music_recognition": []string{},
+ "nearby": []string{},
+ "netd": []string{},
+ "netpolicy": []string{},
+ "netstats": []string{},
+ "network_stack": []string{},
+ "network_management": []string{},
+ "network_score": []string{},
+ "network_time_update_service": []string{},
+ "nfc": []string{},
+ "notification": []string{},
+ "oem_lock": []string{},
+ "otadexopt": []string{},
+ "overlay": []string{},
+ "pac_proxy": []string{},
+ "package": []string{},
+ "package_native": []string{},
+ "people": []string{},
+ "performance_hint": []string{},
+ "permission": []string{},
+ "permissionmgr": []string{},
+ "permission_checker": []string{},
+ "persistent_data_block": []string{},
+ "phone_msim": []string{},
+ "phone1": []string{},
+ "phone2": []string{},
+ "phone": []string{},
+ "pinner": []string{},
+ "powerstats": []string{},
+ "power": []string{},
+ "print": []string{},
+ "processinfo": []string{},
+ "procstats": []string{},
+ "profcollectd": []string{},
+ "radio.phonesubinfo": []string{},
+ "radio.phone": []string{},
+ "radio.sms": []string{},
+ "rcs": []string{},
+ "reboot_readiness": []string{},
+ "recovery": []string{},
+ "resolver": []string{},
+ "resources": []string{},
+ "restrictions": []string{},
+ "role": []string{},
+ "rollback": []string{},
+ "rttmanager": []string{},
+ "runtime": []string{},
+ "safety_center": []string{},
+ "samplingprofiler": []string{},
+ "scheduling_policy": []string{},
+ "search": []string{},
+ "search_ui": []string{},
+ "secure_element": []string{},
+ "sec_key_att_app_id_provider": []string{},
+ "selection_toolbar": []string{},
+ "sensorservice": []string{},
+ "sensor_privacy": []string{},
+ "serial": []string{},
+ "servicediscovery": []string{},
+ "manager": []string{},
+ "settings": []string{},
+ "shortcut": []string{},
+ "simphonebook_msim": []string{},
+ "simphonebook2": []string{},
+ "simphonebook": []string{},
+ "sip": []string{},
+ "slice": []string{},
+ "smartspace": []string{},
+ "speech_recognition": []string{},
+ "stats": []string{},
+ "statsbootstrap": []string{},
+ "statscompanion": []string{},
+ "statsmanager": []string{},
+ "soundtrigger": []string{},
+ "soundtrigger_middleware": []string{},
+ "statusbar": []string{},
+ "storaged": []string{},
+ "storaged_pri": []string{},
+ "storagestats": []string{},
+ "sdk_sandbox": []string{},
+ "SurfaceFlinger": []string{},
+ "SurfaceFlingerAIDL": []string{},
+ "suspend_control": []string{},
+ "suspend_control_internal": []string{},
+ "system_config": []string{},
+ "system_server_dumper": []string{},
+ "system_update": []string{},
+ "tare": []string{},
+ "task": []string{},
+ "telecom": []string{},
+ "telephony.registry": []string{},
+ "telephony_ims": []string{},
+ "testharness": []string{},
+ "tethering": []string{},
+ "textclassification": []string{},
+ "textservices": []string{},
+ "texttospeech": []string{},
+ "time_detector": []string{},
+ "time_zone_detector": []string{},
+ "thermalservice": []string{},
+ "tracing.proxy": []string{},
+ "translation": []string{},
+ "transparency": []string{},
+ "trust": []string{},
+ "tv_interactive_app": []string{},
+ "tv_input": []string{},
+ "tv_tuner_resource_mgr": []string{},
+ "uce": []string{},
+ "uimode": []string{},
+ "updatelock": []string{},
+ "uri_grants": []string{},
+ "usagestats": []string{},
+ "usb": []string{},
+ "user": []string{},
+ "uwb": []string{},
+ "vcn_management": []string{},
+ "vibrator": []string{},
+ "vibrator_manager": []string{},
+ "virtualdevice": []string{},
+ "virtual_touchpad": []string{},
+ "voiceinteraction": []string{},
+ "vold": []string{},
+ "vpn_management": []string{},
+ "vrmanager": []string{},
+ "wallpaper": []string{},
+ "wallpaper_effects_generation": []string{},
+ "webviewupdate": []string{},
+ "wifip2p": []string{},
+ "wifiscanner": []string{},
+ "wifi": []string{},
+ "wifinl80211": []string{},
+ "wifiaware": []string{},
+ "wifirtt": []string{},
+ "window": []string{},
+ "*": []string{},
+ }
+)
diff --git a/build/soong/validate_bindings.go b/build/soong/validate_bindings.go
new file mode 100644
index 0000000..3132453
--- /dev/null
+++ b/build/soong/validate_bindings.go
@@ -0,0 +1,109 @@
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "encoding/json"
+ "fmt"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("fuzzer_bindings_test", fuzzerBindingsTestFactory)
+ android.PreArchMutators(registerFuzzerMutators)
+}
+
+func registerFuzzerMutators(ctx android.RegisterMutatorsContext) {
+ ctx.BottomUp("addFuzzerConfigDeps", addFuzzerConfigDeps).Parallel()
+}
+
+func addFuzzerConfigDeps(ctx android.BottomUpMutatorContext) {
+ if _, ok := ctx.Module().(*fuzzerBindingsTestModule); ok {
+ for _, fuzzers := range ServiceFuzzerBindings {
+ for _, fuzzer := range fuzzers {
+ if !ctx.OtherModuleExists(fuzzer) {
+ panic(fmt.Errorf("Fuzzer doesn't exist : %s", fuzzer))
+ }
+ }
+ }
+ }
+}
+
+type bindingsTestProperties struct {
+ // Contexts files to be tested.
+ Srcs []string `android:"path"`
+}
+
+type fuzzerBindingsTestModule struct {
+ android.ModuleBase
+ tool string
+ properties bindingsTestProperties
+ testTimestamp android.ModuleOutPath
+}
+
+// fuzzer_bindings_test checks if a fuzzer is implemented for every service in service_contexts
+func fuzzerBindingsTestFactory() android.Module {
+ m := &fuzzerBindingsTestModule{tool: "fuzzer_bindings_check"}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
+func (m *fuzzerBindingsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ tool := m.tool
+ if tool != "fuzzer_bindings_check" {
+ panic(fmt.Errorf("%q: unknown tool name: %q", ctx.ModuleName(), tool))
+ }
+
+ if len(m.properties.Srcs) == 0 {
+ ctx.PropertyErrorf("srcs", "can't be empty")
+ return
+ }
+
+ // Generate a json file which contains existing bindings
+ rootPath := android.PathForIntermediates(ctx, "bindings.json")
+ jsonString, parseError := json.Marshal(ServiceFuzzerBindings)
+ if parseError != nil {
+ panic(fmt.Errorf("Error while marshalling ServiceFuzzerBindings dict. Check Format"))
+ }
+ android.WriteFileRule(ctx, rootPath, string(jsonString))
+
+ //input module json, service context and binding files here
+ srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ rule.Command().BuiltTool(tool).Flag("-s").Inputs(srcs).Flag("-b").Input(rootPath)
+
+ // Every Soong module needs to generate an output even if it doesn't require it
+ m.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
+ rule.Command().Text("touch").Output(m.testTimestamp)
+ rule.Build("fuzzer_bindings_test", "running service:fuzzer bindings test: "+ctx.ModuleName())
+}
+
+func (m *fuzzerBindingsTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "FAKE",
+ // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
+ // Without OutputFile this module won't be exported to Makefile.
+ OutputFile: android.OptionalPathForPath(m.testTimestamp),
+ Include: "$(BUILD_PHONY_PACKAGE)",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", m.testTimestamp.String())
+ },
+ },
+ }}
+}
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
new file mode 100644
index 0000000..3c47764
--- /dev/null
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -0,0 +1,93 @@
+; This file is required for sepolicy amend (go/seamendc).
+; The seamendc binary reads an amend SELinux policy as input in CIL format and applies its rules to
+; a binary SELinux policy. To parse the input correctly, we require the amend policy to be a valid
+; standalone policy. This file contains the preliminary statements(sid, sidorder, etc.) and
+; definitions (type, typeattribute, class, etc.) necessary to make the amend policy compile
+; successfully.
+(sid amend)
+(sidorder (amend))
+
+(classorder (file service_manager))
+
+;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
+(type shell)
+(type sepolicy_test_file)
+(class file (ioctl read getattr lock map open watch watch_reads execute_no_trans))
+
+;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
+(class service_manager (add find list ))
+
+(type activity_service)
+(type activity_task_service)
+(type appops_service)
+(type audioserver_service)
+(type audio_service)
+(type batteryproperties_service)
+(type batterystats_service)
+(type connectivity_service)
+(type connmetrics_service)
+(type deviceidle_service)
+(type display_service)
+(type dropbox_service)
+(type font_service)
+(type game_service)
+(type gpu_service)
+(type graphicsstats_service)
+(type hardware_properties_service)
+(type hint_service)
+(type imms_service)
+(type input_method_service)
+(type input_service)
+(type IProxyService_service)
+(type ipsec_service)
+(type launcherapps_service)
+(type legacy_permission_service)
+(type light_service)
+(type locale_service)
+(type media_communication_service)
+(type mediaextractor_service)
+(type mediametrics_service)
+(type media_projection_service)
+(type media_router_service)
+(type mediaserver_service)
+(type media_session_service)
+(type memtrackproxy_service)
+(type midi_service)
+(type netpolicy_service)
+(type netstats_service)
+(type network_management_service)
+(type notification_service)
+(type package_service)
+(type permission_checker_service)
+(type permissionmgr_service)
+(type permission_service)
+(type platform_compat_service)
+(type power_service)
+(type procstats_service)
+(type registry_service)
+(type restrictions_service)
+(type rttmanager_service)
+(type sdk_sandbox)
+(type search_service)
+(type selection_toolbar_service)
+(type sensor_privacy_service)
+(type sensorservice_service)
+(type servicediscovery_service)
+(type settings_service)
+(type speech_recognition_service)
+(type statusbar_service)
+(type storagestats_service)
+(type surfaceflinger_service)
+(type system_linker_exec)
+(type telecom_service)
+(type tethering_service)
+(type textclassification_service)
+(type textservices_service)
+(type texttospeech_service)
+(type thermal_service)
+(type translation_service)
+(type tv_iapp_service)
+(type tv_input_service)
+(type uimode_service)
+(type vcn_management_service)
+(type webviewupdate_service)
diff --git a/com.android.sepolicy/33/sdk_sandbox.te b/com.android.sepolicy/33/sdk_sandbox.te
new file mode 100644
index 0000000..7c7b15b
--- /dev/null
+++ b/com.android.sepolicy/33/sdk_sandbox.te
@@ -0,0 +1,77 @@
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
diff --git a/compat/Android.bp b/compat/Android.bp
index bc8409a..895b5e7 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -23,45 +23,178 @@
default_applicable_licenses: ["system_sepolicy_license"],
}
+se_build_files {
+ name: "28.0.board.compat.map",
+ srcs: [
+ "compat/28.0/28.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "29.0.board.compat.map",
+ srcs: [
+ "compat/29.0/29.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "30.0.board.compat.map",
+ srcs: [
+ "compat/30.0/30.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "31.0.board.compat.map",
+ srcs: [
+ "compat/31.0/31.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "32.0.board.compat.map",
+ srcs: [
+ "compat/32.0/32.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "33.0.board.compat.map",
+ srcs: [
+ "compat/33.0/33.0.cil",
+ ],
+}
+
+se_build_files {
+ name: "28.0.board.compat.cil",
+ srcs: [
+ "compat/28.0/28.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "29.0.board.compat.cil",
+ srcs: [
+ "compat/29.0/29.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "30.0.board.compat.cil",
+ srcs: [
+ "compat/30.0/30.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "31.0.board.compat.cil",
+ srcs: [
+ "compat/31.0/31.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "32.0.board.compat.cil",
+ srcs: [
+ "compat/32.0/32.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "33.0.board.compat.cil",
+ srcs: [
+ "compat/33.0/33.0.compat.cil",
+ ],
+}
+
+se_build_files {
+ name: "28.0.board.ignore.map",
+ srcs: [
+ "compat/28.0/28.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "29.0.board.ignore.map",
+ srcs: [
+ "compat/29.0/29.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "30.0.board.ignore.map",
+ srcs: [
+ "compat/30.0/30.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "31.0.board.ignore.map",
+ srcs: [
+ "compat/31.0/31.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "32.0.board.ignore.map",
+ srcs: [
+ "compat/32.0/32.0.ignore.cil",
+ ],
+}
+
+se_build_files {
+ name: "33.0.board.ignore.map",
+ srcs: [
+ "compat/33.0/33.0.ignore.cil",
+ ],
+}
+
se_cil_compat_map {
name: "plat_28.0.cil",
stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
+ bottom_half: [":28.0.board.compat.map{.plat_private}"],
top_half: "plat_29.0.cil",
}
se_cil_compat_map {
name: "plat_29.0.cil",
stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
+ bottom_half: [":29.0.board.compat.map{.plat_private}"],
top_half: "plat_30.0.cil",
}
se_cil_compat_map {
name: "plat_30.0.cil",
stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
+ bottom_half: [":30.0.board.compat.map{.plat_private}"],
top_half: "plat_31.0.cil",
}
se_cil_compat_map {
name: "plat_31.0.cil",
stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
+ bottom_half: [":31.0.board.compat.map{.plat_private}"],
top_half: "plat_32.0.cil",
}
se_cil_compat_map {
name: "plat_32.0.cil",
stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "plat_33.0.cil",
+ bottom_half: [":32.0.board.compat.map{.plat_private}"],
+ top_half: "plat_33.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_33.0.cil",
+ stem: "33.0.cil",
+ bottom_half: [":33.0.board.compat.map{.plat_private}"],
+ // top_half: "plat_34.0.cil",
}
se_cil_compat_map {
name: "system_ext_28.0.cil",
stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
+ bottom_half: [":28.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_29.0.cil",
system_ext_specific: true,
}
@@ -69,7 +202,7 @@
se_cil_compat_map {
name: "system_ext_29.0.cil",
stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
+ bottom_half: [":29.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_30.0.cil",
system_ext_specific: true,
}
@@ -77,7 +210,7 @@
se_cil_compat_map {
name: "system_ext_30.0.cil",
stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
+ bottom_half: [":30.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_31.0.cil",
system_ext_specific: true,
}
@@ -85,7 +218,7 @@
se_cil_compat_map {
name: "system_ext_31.0.cil",
stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
+ bottom_half: [":31.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_32.0.cil",
system_ext_specific: true,
}
@@ -93,15 +226,23 @@
se_cil_compat_map {
name: "system_ext_32.0.cil",
stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "system_ext_33.0.cil",
+ bottom_half: [":32.0.board.compat.map{.system_ext_private}"],
+ top_half: "system_ext_33.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_33.0.cil",
+ stem: "33.0.cil",
+ bottom_half: [":33.0.board.compat.map{.system_ext_private}"],
+ // top_half: "system_ext_34.0.cil",
system_ext_specific: true,
}
se_cil_compat_map {
name: "product_28.0.cil",
stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
+ bottom_half: [":28.0.board.compat.map{.product_private}"],
top_half: "product_29.0.cil",
product_specific: true,
}
@@ -109,7 +250,7 @@
se_cil_compat_map {
name: "product_29.0.cil",
stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
+ bottom_half: [":29.0.board.compat.map{.product_private}"],
top_half: "product_30.0.cil",
product_specific: true,
}
@@ -117,7 +258,7 @@
se_cil_compat_map {
name: "product_30.0.cil",
stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
+ bottom_half: [":30.0.board.compat.map{.product_private}"],
top_half: "product_31.0.cil",
product_specific: true,
}
@@ -125,7 +266,7 @@
se_cil_compat_map {
name: "product_31.0.cil",
stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
+ bottom_half: [":31.0.board.compat.map{.product_private}"],
top_half: "product_32.0.cil",
product_specific: true,
}
@@ -133,143 +274,183 @@
se_cil_compat_map {
name: "product_32.0.cil",
stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "product_33.0.cil",
+ bottom_half: [":32.0.board.compat.map{.product_private}"],
+ top_half: "product_33.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_33.0.cil",
+ stem: "33.0.cil",
+ bottom_half: [":33.0.board.compat.map{.product_private}"],
+ // top_half: "product_34.0.cil",
product_specific: true,
}
se_cil_compat_map {
name: "28.0.ignore.cil",
- bottom_half: [":28.0.board.ignore.map"],
+ bottom_half: [":28.0.board.ignore.map{.plat_private}"],
top_half: "29.0.ignore.cil",
}
se_cil_compat_map {
name: "29.0.ignore.cil",
- bottom_half: [":29.0.board.ignore.map"],
+ bottom_half: [":29.0.board.ignore.map{.plat_private}"],
top_half: "30.0.ignore.cil",
}
se_cil_compat_map {
name: "30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
+ bottom_half: [":30.0.board.ignore.map{.plat_private}"],
top_half: "31.0.ignore.cil",
}
se_cil_compat_map {
name: "31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
+ bottom_half: [":31.0.board.ignore.map{.plat_private}"],
top_half: "32.0.ignore.cil",
}
se_cil_compat_map {
name: "32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "33.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map{.plat_private}"],
+ top_half: "33.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "33.0.ignore.cil",
+ bottom_half: [":33.0.board.ignore.map{.plat_private}"],
+ // top_half: "34.0.ignore.cil",
}
se_cil_compat_map {
name: "system_ext_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
+ bottom_half: [":30.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_31.0.ignore.cil",
system_ext_specific: true,
}
se_cil_compat_map {
name: "system_ext_31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
+ bottom_half: [":31.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_32.0.ignore.cil",
system_ext_specific: true,
}
se_cil_compat_map {
name: "system_ext_32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "system_ext_33.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map{.system_ext_private}"],
+ top_half: "system_ext_33.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_33.0.ignore.cil",
+ bottom_half: [":33.0.board.ignore.map{.system_ext_private}"],
+ // top_half: "system_ext_34.0.ignore.cil",
system_ext_specific: true,
}
se_cil_compat_map {
name: "product_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
+ bottom_half: [":30.0.board.ignore.map{.product_private}"],
top_half: "product_31.0.ignore.cil",
product_specific: true,
}
se_cil_compat_map {
name: "product_31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
+ bottom_half: [":31.0.board.ignore.map{.product_private}"],
top_half: "product_32.0.ignore.cil",
product_specific: true,
}
se_cil_compat_map {
name: "product_32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "product_33.0.ignore.cil",
+ bottom_half: [":32.0.board.ignore.map{.product_private}"],
+ top_half: "product_33.0.ignore.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_33.0.ignore.cil",
+ bottom_half: [":33.0.board.ignore.map{.product_private}"],
+ // top_half: "product_34.0.ignore.cil",
product_specific: true,
}
se_compat_cil {
name: "28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
+ srcs: [":28.0.board.compat.cil{.plat_private}"],
}
se_compat_cil {
name: "29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
+ srcs: [":29.0.board.compat.cil{.plat_private}"],
}
se_compat_cil {
name: "30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
+ srcs: [":30.0.board.compat.cil{.plat_private}"],
}
se_compat_cil {
name: "31.0.compat.cil",
- srcs: [":31.0.board.compat.cil"],
+ srcs: [":31.0.board.compat.cil{.plat_private}"],
}
se_compat_cil {
name: "32.0.compat.cil",
- srcs: [":32.0.board.compat.cil"],
+ srcs: [":32.0.board.compat.cil{.plat_private}"],
+}
+
+se_compat_cil {
+ name: "33.0.compat.cil",
+ srcs: [":33.0.board.compat.cil{.plat_private}"],
}
se_compat_cil {
name: "system_ext_28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
+ srcs: [":28.0.board.compat.cil{.system_ext_private}"],
stem: "28.0.compat.cil",
system_ext_specific: true,
}
se_compat_cil {
name: "system_ext_29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
+ srcs: [":29.0.board.compat.cil{.system_ext_private}"],
stem: "29.0.compat.cil",
system_ext_specific: true,
}
se_compat_cil {
name: "system_ext_30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
+ srcs: [":30.0.board.compat.cil{.system_ext_private}"],
stem: "30.0.compat.cil",
system_ext_specific: true,
}
se_compat_cil {
name: "system_ext_31.0.compat.cil",
- srcs: [":31.0.board.compat.cil"],
+ srcs: [":31.0.board.compat.cil{.system_ext_private}"],
stem: "31.0.compat.cil",
system_ext_specific: true,
}
se_compat_cil {
name: "system_ext_32.0.compat.cil",
- srcs: [":32.0.board.compat.cil"],
+ srcs: [":32.0.board.compat.cil{.system_ext_private}"],
stem: "32.0.compat.cil",
system_ext_specific: true,
}
+se_compat_cil {
+ name: "system_ext_33.0.compat.cil",
+ srcs: [":33.0.board.compat.cil{.system_ext_private}"],
+ stem: "33.0.compat.cil",
+ system_ext_specific: true,
+}
+
se_compat_test {
name: "sepolicy_compat_test",
}
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 2a5a058..82f42ba 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -23,6 +23,51 @@
default_applicable_licenses: ["system_sepolicy_license"],
}
+se_build_files {
+ name: "file_contexts_files",
+ srcs: ["file_contexts"],
+}
+
+se_build_files {
+ name: "file_contexts_asan_files",
+ srcs: ["file_contexts_asan"],
+}
+
+se_build_files {
+ name: "file_contexts_overlayfs_files",
+ srcs: ["file_contexts_overlayfs"],
+}
+
+se_build_files {
+ name: "hwservice_contexts_files",
+ srcs: ["hwservice_contexts"],
+}
+
+se_build_files {
+ name: "property_contexts_files",
+ srcs: ["property_contexts"],
+}
+
+se_build_files {
+ name: "service_contexts_files",
+ srcs: ["service_contexts"],
+}
+
+se_build_files {
+ name: "keystore2_key_contexts_files",
+ srcs: ["keystore2_key_contexts"],
+}
+
+se_build_files {
+ name: "seapp_contexts_files",
+ srcs: ["seapp_contexts"],
+}
+
+se_build_files {
+ name: "vndservice_contexts_files",
+ srcs: ["vndservice_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
srcs: [":file_contexts_files{.plat_private}"],
@@ -475,3 +520,8 @@
srcs: [":vndservice_contexts"],
sepolicy: ":precompiled_sepolicy",
}
+
+fuzzer_bindings_test {
+ name: "fuzzer_bindings_test",
+ srcs: [":plat_service_contexts"],
+}
diff --git a/mac_permissions.mk b/mac_permissions.mk
deleted file mode 100644
index ad17b8f..0000000
--- a/mac_permissions.mk
+++ /dev/null
@@ -1,175 +0,0 @@
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_plat_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
-
-# Build keys.conf
-plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
-$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_plat_mac_perms_keys)
-$(plat_mac_perms_keys.tmp): $(all_plat_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-# Should be synced with keys.conf.
-all_plat_keys := platform sdk_sandbox media networkstack shared testkey bluetooth
-all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_plat_mac_perms_files) $(all_plat_keys)
- @mkdir -p $(dir $@)
- $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
- MAINLINE_SEPOLICY_DEV_CERTIFICATES="$(MAINLINE_SEPOLICY_DEV_CERTIFICATES)" \
- $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-all_plat_keys :=
-all_plat_mac_perms_files :=
-all_plat_mac_perms_keys :=
-plat_mac_perms_keys.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_system_ext_mac_perms_keys := $(call build_policy, keys.conf, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-all_system_ext_mac_perms_files := $(call build_policy, mac_permissions.xml, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-system_ext_mac_perms_keys.tmp := $(intermediates)/system_ext_keys.tmp
-$(system_ext_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_system_ext_mac_perms_keys)
-$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_system_ext_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-system_ext_mac_perms_keys.tmp :=
-all_system_ext_mac_perms_files :=
-all_system_ext_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_product_mac_perms_keys := $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
-$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_product_mac_perms_keys)
-$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_product_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-product_mac_perms_keys.tmp :=
-all_product_mac_perms_files :=
-all_product_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-
-# Build keys.conf
-vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
-$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_vendor_mac_perms_keys)
-$(vendor_mac_perms_keys.tmp): $(all_vendor_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_vendor_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
- $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-vendor_mac_perms_keys.tmp :=
-all_vendor_mac_perms_files :=
-all_vendor_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := odm_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_odm_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp
-$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_odm_mac_perms_keys)
-$(odm_mac_perms_keys.tmp): $(all_odm_mac_perms_keys) $(M4)
- @mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_odm_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-odm_mac_perms_keys.tmp :=
-all_odm_mac_perms_files :=
diff --git a/mac_permissions/Android.bp b/mac_permissions/Android.bp
new file mode 100644
index 0000000..401f78c
--- /dev/null
+++ b/mac_permissions/Android.bp
@@ -0,0 +1,98 @@
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains module definitions for mac_permissions.xml files.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_sepolicy_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+se_build_files {
+ name: "keys.conf",
+ srcs: ["keys.conf"],
+}
+
+se_build_files {
+ name: "mac_permissions.xml",
+ srcs: ["mac_permissions.xml"],
+}
+
+mac_permissions {
+ name: "plat_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.plat_private}",
+ ":keys.conf{.system_ext_private}",
+ ":keys.conf{.product_private}",
+ ],
+ srcs: [":mac_permissions.xml{.plat_private}"],
+}
+
+mac_permissions {
+ name: "system_ext_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.system_ext_private}",
+ ":keys.conf{.reqd_mask}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.system_ext_private}",
+ ":mac_permissions.xml{.reqd_mask}",
+ ],
+ system_ext_specific: true,
+}
+
+mac_permissions {
+ name: "product_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.product_private}",
+ ":keys.conf{.reqd_mask}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.product_private}",
+ ":mac_permissions.xml{.reqd_mask}",
+ ],
+ product_specific: true,
+}
+
+mac_permissions {
+ name: "vendor_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.plat_vendor_for_vendor}",
+ ":keys.conf{.vendor}",
+ ":keys.conf{.reqd_mask_for_vendor}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.plat_vendor_for_vendor}",
+ ":mac_permissions.xml{.vendor}",
+ ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ],
+ vendor: true,
+}
+
+mac_permissions {
+ name: "odm_mac_permissions.xml",
+ keys: [
+ ":keys.conf{.odm}",
+ ":keys.conf{.reqd_mask_for_vendor}",
+ ],
+ srcs: [
+ ":mac_permissions.xml{.odm}",
+ ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ],
+ device_specific: true,
+}
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 386f11e..26dffe5 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,9 +2,6 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
-# Expose RPC Binder service over vsock
-allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
# Allow using various binder services
binder_use(compos);
allow compos authfs_binder_service:service_manager find;
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index d87df40..4c1baf5 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -48,6 +48,7 @@
# /dev/binder can be accessed by ... everyone! :)
allow domain binder_device:chr_file rw_file_perms;
+get_prop(domain, servicemanager_prop)
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -418,11 +419,6 @@
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
# Never allow anyone to connect or write to
# the tombstoned intercept socket.
neverallow { domain } tombstoned_intercept_socket:sock_file write;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 83eceb0..cd1961f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -123,6 +123,7 @@
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
/system/bin/authfs u:object_r:authfs_exec:s0
/system/bin/authfs_service u:object_r:authfs_service_exec:s0
+/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
diff --git a/microdroid/system/private/kexec.te b/microdroid/system/private/kexec.te
new file mode 100644
index 0000000..c0ab735
--- /dev/null
+++ b/microdroid/system/private/kexec.te
@@ -0,0 +1,12 @@
+# kexec loads a crashdump kernel into memory using the kexec_file_load syscall.
+type kexec, domain, coredomain;
+type kexec_exec, exec_type, file_type, system_file_type;
+
+# allow kexec to write into /dev/kmsg for logging
+allow kexec kmsg_device:chr_file w_file_perms;
+
+# kexec is launched by microdroid_manager with fork/execvp.
+allow kexec microdroid_manager:fd use;
+
+# allow kexec to have SYS_BOOT
+allow kexec self:capability sys_boot;
diff --git a/microdroid/system/private/logcat.te b/microdroid/system/private/logcat.te
index a26cff3..a5b59fb 100644
--- a/microdroid/system/private/logcat.te
+++ b/microdroid/system/private/logcat.te
@@ -17,3 +17,6 @@
get_prop(logcat, logd_prop)
allow logcat self:global_capability_class_set { sys_nice };
+
+# logcat uses bootstrap to be run before apexd
+use_bootstrap_libs(logcat)
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 46cdb7d..5381212 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -41,4 +41,7 @@
# Logd sets defaults if certain properties are empty.
set_prop(logd, logd_prop)
+# logd uses bootstrap to be run before apexd
+use_bootstrap_libs(logd)
+
dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 21731cc..d4ad862 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -6,6 +6,9 @@
# allow domain transition from init
init_daemon_domain(microdroid_manager)
+# Allow microdroid_manager to set boot status
+set_prop(microdroid_manager, boot_status_prop)
+
# microdroid_manager accesses a virtual disk block device to read VM payload
# It needs write access as it updates the instance image
allow microdroid_manager block_device:dir r_dir_perms;
@@ -30,15 +33,12 @@
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
+# Allow microdroid_manager to run kexec to load crashkernel
+domain_auto_trans(microdroid_manager, kexec_exec, kexec)
+
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
-# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below rule
-userdebug_or_eng(`
- r_dir_file(microdroid_manager, fuse)
-')
-
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
@@ -63,6 +63,9 @@
set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
+# Allow microdroid_manager to stop tombstoned
+set_prop(microdroid_manager, ctl_tombstoned_prop)
+
# Allow microdroid_manager to wait for linkerconfig to be ready
get_prop(microdroid_manager, apex_config_prop)
@@ -76,6 +79,13 @@
# that is different from what is recorded in the instance.img file.
allow microdroid_manager proc_bootconfig:file r_file_perms;
+# microdroid_manager needs to read /proc/cmdline to see if crashkernel= parameter is set
+# or not; if set, it executes kexec to load the crashkernel into memory.
+allow microdroid_manager proc_cmdline:file r_file_perms;
+
+# Allow microdroid_manager to read/write failure serial device
+allow microdroid_manager serial_device:chr_file w_file_perms;
+
# Allow microdroid_manager to handle extra_apks
allow microdroid_manager extra_apk_file:dir create_dir_perms;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index fea0768..fd36b02 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,11 +27,21 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-# Only microdroid_payload and apk verity binaries can be run by microdroid_manager
-neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition;
+# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager
+neverallow microdroid_manager {
+ domain
+ -crash_dump
+ -microdroid_payload
+ -apkdmverity
+ -zipfuse
+ -kexec
+}:process transition;
# Allow microdroid_payload to open binder servers via vsock.
allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)
+
+# Payload can read /proc/meminfo.
+allow microdroid_payload proc_meminfo:file r_file_perms;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 6e795dc..a02a7f2 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,3 +1,7 @@
+system_internal_prop(ctl_tombstoned_prop)
+
+system_restricted_prop(boot_status_prop)
+
# Declare ART properties for CompOS
system_public_prop(dalvik_config_prop)
system_restricted_prop(device_config_runtime_native_prop)
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 6f65eff..89609b9 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -23,6 +23,8 @@
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+ctl.stop$tombstoned u:object_r:ctl_tombstoned_prop:s0
+
ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
@@ -41,6 +43,8 @@
ro.logd.kernel u:object_r:logd_prop:s0 exact bool
logd.ready u:object_r:logd_prop:s0 exact bool
+dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
+
ro.config.low_ram u:object_r:build_prop:s0 exact bool
ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
@@ -114,6 +118,7 @@
ro.build.version.release u:object_r:build_prop:s0 exact string
ro.build.version.sdk u:object_r:build_prop:s0 exact int
ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.build.version.known_codenames u:object_r:build_prop:s0 exact string
ro.debuggable u:object_r:build_prop:s0 exact bool
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
ro.adb.secure u:object_r:build_prop:s0 exact bool
@@ -151,6 +156,8 @@
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
+servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
+
# ART properties for CompOS
dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index d51c827..91a8ad2 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -24,6 +24,7 @@
add_service(servicemanager, service_manager_service)
set_prop(servicemanager, ctl_interface_start_prop)
+set_prop(servicemanager, servicemanager_prop)
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index c93b488..d6c3c0d 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -35,6 +35,7 @@
dontaudit shell sysfs:dir r_dir_perms;
# Test tool tries to read various service status properties.
+get_prop(shell, boot_status_prop)
get_prop(shell, init_service_status_prop)
get_prop(shell, init_service_status_private_prop)
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
index 588ebff..1887654 100644
--- a/microdroid/system/private/tombstone_transmit.te
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -3,6 +3,8 @@
init_daemon_domain(tombstone_transmit)
-r_dir_file(tombstone_transmit, tombstone_data_file)
+# permission required to read the file & remove it from directory
+allow tombstone_transmit tombstone_data_file:dir { r_dir_perms write remove_name };
+allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };
allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 00b5f2b..7d351a9 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -7,9 +7,6 @@
# in tools/checkfc.c
attribute dev_type;
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute bdev_type;
-
# All types used for processes.
attribute domain;
@@ -123,12 +120,6 @@
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index f85ba76..a04fc19 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -24,6 +24,7 @@
type ctl_stop_prop, property_type;
type ctl_tombstone_transmit_prop, property_type;
type ctl_zipfuse_prop, property_type;
+type servicemanager_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
type dev_mnt_prop, property_type;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index b21b2dd..b4c49c8 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -5,7 +5,7 @@
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
-type hal_dice_service, vendor_service, service_manager_type;
+type hal_dice_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/prebuilts/api/32.0/private/mediatranscoding.te b/prebuilts/api/32.0/private/mediatranscoding.te
index 2a43cf9..073e81d 100644
--- a/prebuilts/api/32.0/private/mediatranscoding.te
+++ b/prebuilts/api/32.0/private/mediatranscoding.te
@@ -19,6 +19,7 @@
hal_client_domain(mediatranscoding, hal_configstore)
hal_client_domain(mediatranscoding, hal_omx)
hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
allow mediatranscoding mediaserver_service:service_manager find;
allow mediatranscoding mediametrics_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/app.te b/prebuilts/api/33.0/private/app.te
index b7da601..86180b0 100644
--- a/prebuilts/api/33.0/private/app.te
+++ b/prebuilts/api/33.0/private/app.te
@@ -75,6 +75,11 @@
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+# allow apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow appdomain system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index a07f5ae..c1fc736 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
device_config_vendor_system_native_prop
+ device_config_vendor_system_native_boot_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/prebuilts/api/33.0/private/crash_dump.te b/prebuilts/api/33.0/private/crash_dump.te
index 90ffeb5..82ca403 100644
--- a/prebuilts/api/33.0/private/crash_dump.te
+++ b/prebuilts/api/33.0/private/crash_dump.te
@@ -8,6 +8,7 @@
-apexd
-bpfloader
-crash_dump
+ -crosvm # TODO(b/236672526): Remove exception for crosvm
-diced
-init
-kernel
diff --git a/prebuilts/api/33.0/private/crosvm.te b/prebuilts/api/33.0/private/crosvm.te
index e47abd7..167ad2f 100644
--- a/prebuilts/api/33.0/private/crosvm.te
+++ b/prebuilts/api/33.0/private/crosvm.te
@@ -66,12 +66,9 @@
# For ACPI
allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
-# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
-# compliance tests and demo apps. Write access to instance.img is particularily important because
-# the VM has to initialize the disk image on its first boot. Note that open access is still not
-# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
-# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
-allow crosvm shell_data_file:file write;
+# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
+# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
+userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
full_treble_only(`
diff --git a/prebuilts/api/33.0/private/flags_health_check.te b/prebuilts/api/33.0/private/flags_health_check.te
index 54ecd45..58275ff 100644
--- a/prebuilts/api/33.0/private/flags_health_check.te
+++ b/prebuilts/api/33.0/private/flags_health_check.te
@@ -24,6 +24,7 @@
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
diff --git a/prebuilts/api/33.0/private/gmscore_app.te b/prebuilts/api/33.0/private/gmscore_app.te
index 2198c15..8795798 100644
--- a/prebuilts/api/33.0/private/gmscore_app.te
+++ b/prebuilts/api/33.0/private/gmscore_app.te
@@ -5,11 +5,6 @@
app_domain(gmscore_app)
-# TODO(b/217368496): remove this.
-perfetto_producer(gmscore_app)
-can_profile_heap(gmscore_app)
-can_profile_perf(gmscore_app)
-
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
diff --git a/prebuilts/api/33.0/private/platform_app.te b/prebuilts/api/33.0/private/platform_app.te
index b723633..6112ae0 100644
--- a/prebuilts/api/33.0/private/platform_app.te
+++ b/prebuilts/api/33.0/private/platform_app.te
@@ -113,10 +113,6 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(platform_app)
-can_profile_perf(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index 1b2360d..4eda4a1 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -257,6 +257,7 @@
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
@@ -728,7 +729,8 @@
# GWP-ASan props. Separate from other libc.debug.* props, because we want users
# to be able to set them from `adb shell` even on release devices.
-libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
index 20d3adf..7ca323f 100644
--- a/prebuilts/api/33.0/private/sdk_sandbox.te
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te
@@ -12,86 +12,20 @@
# Allow finding services. This is different from ephemeral_app policy.
# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
# Audit the access to signal that we are still investigating whether sdk_sandbox
# should have access to audio_service
# TODO(b/211632068): remove this line
auditallow sdk_sandbox audio_service:service_manager find;
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox trust_service:service_manager find;
allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
@@ -116,7 +50,7 @@
### neverallow rules
###
-neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
diff --git a/prebuilts/api/33.0/private/surfaceflinger.te b/prebuilts/api/33.0/private/surfaceflinger.te
index 123fc69..bb16f20 100644
--- a/prebuilts/api/33.0/private/surfaceflinger.te
+++ b/prebuilts/api/33.0/private/surfaceflinger.te
@@ -74,13 +74,9 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Allow userspace tracing via perfetto.
+# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
-# Allow to be profiled by performance tools.
-can_profile_heap(surfaceflinger)
-can_profile_perf(surfaceflinger)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/prebuilts/api/33.0/private/system_app.te b/prebuilts/api/33.0/private/system_app.te
index 01956f4..77cca3d 100644
--- a/prebuilts/api/33.0/private/system_app.te
+++ b/prebuilts/api/33.0/private/system_app.te
@@ -176,10 +176,6 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(system_app)
-can_profile_perf(system_app)
-
###
### Neverallow rules
###
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index bb02047..8a7947d 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -15,11 +15,6 @@
userfaultfd_use(system_server)
-# TODO(b/217368496): remove this.
-perfetto_producer(system_server)
-can_profile_heap(system_server)
-can_profile_perf(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -757,6 +752,7 @@
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
diff --git a/prebuilts/api/33.0/private/toolbox.te b/prebuilts/api/33.0/private/toolbox.te
index 1e53d72..a2b958d 100644
--- a/prebuilts/api/33.0/private/toolbox.te
+++ b/prebuilts/api/33.0/private/toolbox.te
@@ -1,7 +1,3 @@
typeattribute toolbox coredomain;
init_daemon_domain(toolbox)
-
-# rm -rf in /data/misc/virtualizationservice
-allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
-allow toolbox virtualizationservice_data_file:file { getattr unlink };
diff --git a/prebuilts/api/33.0/private/untrusted_app.te b/prebuilts/api/33.0/private/untrusted_app.te
index 63b095a..62d458d 100644
--- a/prebuilts/api/33.0/private/untrusted_app.te
+++ b/prebuilts/api/33.0/private/untrusted_app.te
@@ -14,10 +14,3 @@
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
-
-# Allow webview to access fd shared by sdksandbox for experiments data
-# TODO(b/229249719): Will not be supported in Android U
-allow untrusted_app sdk_sandbox_data_file:fd use;
-allow untrusted_app sdk_sandbox_data_file:file write;
-
-neverallow untrusted_app sdk_sandbox_data_file:file { open create };
diff --git a/prebuilts/api/33.0/private/untrusted_app_all.te b/prebuilts/api/33.0/private/untrusted_app_all.te
index 26077f3..ceee544 100644
--- a/prebuilts/api/33.0/private/untrusted_app_all.te
+++ b/prebuilts/api/33.0/private/untrusted_app_all.te
@@ -176,7 +176,9 @@
# permission. The protection level of the permission is `signature|development`
# so that it can only be granted to either platform-key signed apps or
# test-only apps having `android:testOnly="true"` in its manifest.
-virtualizationservice_use(untrusted_app_all)
+userdebug_or_eng(`
+ virtualizationservice_use(untrusted_app_all)
+')
with_native_coverage(`
# Allow writing coverage information to /data/misc/trace
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 2c75f30..8d3e556 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -87,6 +87,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
@@ -112,6 +113,9 @@
sysfs_zram
}:file r_file_perms;
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
@@ -146,6 +150,7 @@
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_input_processor)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
dump_hal(hal_nfc)
diff --git a/prebuilts/api/33.0/public/init.te b/prebuilts/api/33.0/public/init.te
index ce0d130..8dcdd33 100644
--- a/prebuilts/api/33.0/public/init.te
+++ b/prebuilts/api/33.0/public/init.te
@@ -158,7 +158,6 @@
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
allowxperm init dev_type:blk_file ioctl BLKROSET;
-allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;
# Mounting filesystems.
# Only allow relabelto for types used in context= mount options,
diff --git a/prebuilts/api/33.0/public/ioctl_defines b/prebuilts/api/33.0/public/ioctl_defines
index d46e485..0e22670 100644
--- a/prebuilts/api/33.0/public/ioctl_defines
+++ b/prebuilts/api/33.0/public/ioctl_defines
@@ -722,7 +722,6 @@
define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
-define(`F2FS_IOC_SHUTDOWN', `0x587d')
define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index a235634..42fe979 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -68,6 +68,7 @@
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_vendor_system_native_boot_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index b7302d4..57df54c 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -274,6 +274,7 @@
# Allow vendor_init to read vendor_system_native device config changes
get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
###
### neverallow rules
diff --git a/private/apexd.te b/private/apexd.te
index 040651d..b74d4ee 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -33,9 +33,12 @@
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
-# Allow apexd to read directories under /data/misc_de in order to snapshot and
-# restore apex data for all users.
-allow apexd system_data_file:dir r_dir_perms;
+# Allow apexd to read /data/misc_de and the directories under it, in order to
+# snapshot and restore apex data for all users.
+allow apexd {
+ system_userdir_file
+ system_data_file
+}:dir r_dir_perms;
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
@@ -86,7 +89,6 @@
allow apexd apex_info_file:file relabelto;
# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
allow apexd apex_info_file:file rw_file_perms;
-allow apexd apex_info_file:file mounton;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
@@ -129,6 +131,9 @@
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
+# Allow apexd to send control messages to load/unload apex from init
+set_prop(apexd, ctl_apex_load_prop)
+
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
@@ -204,3 +209,6 @@
# Allow calling derive_classpath to gather BCP information for staged sessions
domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
+
+# Allow set apex ready property
+set_prop(apexd, apex_ready_prop)
diff --git a/private/app.te b/private/app.te
index b7da601..69ec868 100644
--- a/private/app.te
+++ b/private/app.te
@@ -75,6 +75,11 @@
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+# allow apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow appdomain system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
@@ -104,6 +109,9 @@
# Allow to read db.log.detailed, db.log.slow_query_threshold*
get_prop(appdomain, sqlite_log_prop)
+# Allow to read system_user_mode_emulation_prop, which is used by UserManager.java
+userdebug_or_eng(`get_prop(appdomain, system_user_mode_emulation_prop)')
+
# Allow font file read by apps.
allow appdomain font_data_file:file r_file_perms;
allow appdomain font_data_file:dir r_dir_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 304f5a2..c2e0b10 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -123,10 +123,11 @@
# Apps can read/write an already open vsock (e.g. created by
# virtualizationservice) but nothing more than that (e.g. creating a
# new vsock, etc.)
-neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr getopt read write };
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
neverallow {
@@ -254,3 +255,11 @@
# Only privileged apps may find the incident service
neverallow all_untrusted_apps incident_service:service_manager find;
+
+# Do not allow untrusted app to read hidden system proprerties.
+# We do not include in the exclusions other normally untrusted applications such as mediaprovider
+# due to the specific logging use cases.
+# Context: b/193912100
+neverallow {
+ untrusted_app_all
+} { userdebug_or_eng_prop }:file read;
diff --git a/private/artd.te b/private/artd.te
index 0aa12dc..58fe6ef 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -1,16 +1,84 @@
-# art service daemon
-type artd, domain;
+# ART service daemon.
+typeattribute artd coredomain;
type artd_exec, system_file_type, exec_type, file_type;
+type artd_tmpfs, file_type;
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
allow artd dumpstate:fifo_file { getattr write };
-typeattribute artd coredomain;
-
init_daemon_domain(artd)
# Allow query ART device config properties
get_prop(artd, device_config_runtime_native_prop)
get_prop(artd, device_config_runtime_native_boot_prop)
+
+# Access to "odsign.verification.success" for deciding whether to deny files in
+# the ART APEX data directory.
+get_prop(artd, odsign_prop)
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by artd their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by artd vs other
+# processes.
+tmpfs_domain(artd)
+
+# Allow testing userfaultfd support.
+userfaultfd_use(artd)
+
+# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+r_dir_file(artd, apk_data_file)
+
+# Read access to /vendor/app.
+r_dir_file(artd, vendor_app_file)
+
+# Read/write access to all compilation artifacts generated on device for apps'
+# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
+allow artd dalvikcache_data_file:dir create_dir_perms;
+allow artd dalvikcache_data_file:file create_file_perms;
+
+# Read access to the ART APEX data directory.
+# Needed for reading the boot image generated on device.
+allow artd apex_module_data_file:dir { getattr search };
+r_dir_file(artd, apex_art_data_file)
+
+# Read access to /apex/apex-info-list.xml
+# Needed for getting APEX versions.
+allow artd apex_info_file:file r_file_perms;
+
+# Allow getting root capabilities to bypass permission checks.
+# - "dac_override" and "dac_read_search" are for
+# - reading secondary dex'es in app data directories (reading primary dex'es
+# doesn't need root capabilities)
+# - managing (CRUD) compilation artifacts in both APK directories for primary
+# dex'es and in app data directories for secondary dex'es
+# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
+# - "fowner" is for adjusting the file permissions of compilation artifacts and
+# profile files based on whether they include user data or not.
+# - "chown" is for transferring the ownership of compilation artifacts and
+# profile files to the system or apps.
+allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
+
+# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
+allow artd user_profile_data_file:dir { getattr search };
+allow artd user_profile_data_file:file create_file_perms;
+
+# Never allow running other binaries without a domain transition.
+# The only exception is art_exec. It is allowed to use the artd domain because
+# it is a thin wrapper that executes other binaries on behalf of artd.
+neverallow artd ~{art_exec_exec}:file execute_no_trans;
+allow artd art_exec_exec:file rx_file_perms;
+
+# Allow running other binaries in their own domains.
+domain_auto_trans(artd, profman_exec, profman)
+domain_auto_trans(artd, dex2oat_exec, dex2oat)
+
+# Allow sending sigkill to subprocesses.
+allow artd { profman dex2oat }:process sigkill;
+
+# Allow reading process info (/proc/<pid>/...).
+# This is needed for getting CPU time and wall time spent on subprocesses.
+r_dir_file(artd, profman);
+r_dir_file(artd, dex2oat);
diff --git a/private/atrace.te b/private/atrace.te
index ca0e527..50ab392 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -31,7 +31,6 @@
-dumpstate_service
-incident_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
diff --git a/private/audioserver.te b/private/audioserver.te
index ca29373..7a5e8bc 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,6 +43,7 @@
allow audioserver mediametrics_service:service_manager find;
allow audioserver sensor_privacy_service:service_manager find;
allow audioserver soundtrigger_middleware_service:service_manager find;
+allow audioserver audio_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index 2be7f88..ada65ae 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -12,3 +12,10 @@
neverallow { domain -bpfdomain } *:bpf *;
allow bpfdomain fs_bpf:dir search;
+
+# genfscon doesn't seem to trigger during symlink creation,
+# and thus any created symlinks end up as 'fs_bpf:lnk_type',
+# however this feels like a kernel bug / missing feature,
+# so let's allow all bpffs_type's instead,
+# this will keep things working even if this is fixed.
+allow bpfdomain bpffs_type:lnk_file read;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 54cc916..7c009ec 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -7,7 +7,8 @@
# These permissions are required to pin ebpf maps & programs.
allow bpfloader bpffs_type:dir { add_name create remove_name search write };
-allow bpfloader bpffs_type:file { create read rename setattr };
+allow bpfloader bpffs_type:file { create getattr read rename setattr };
+allow bpfloader bpffs_type:lnk_file { create getattr read };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
@@ -32,7 +33,7 @@
# TODO: get rid of init & vendor_init
neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
-neverallow { domain -bpfloader } bpffs_type:file { create rename };
+neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
@@ -40,7 +41,10 @@
neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
-neverallow domain bpffs_type:file ~{ create map open read rename setattr write };
+neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
+
+neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
+neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 0fb0a1c..5dba020 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1577,7 +1577,8 @@
(typeattributeset proc_29_0
( proc
proc_kpageflags
- proc_lowmemorykiller))
+ proc_lowmemorykiller
+ proc_watermark_scale_factor))
(typeattributeset proc_abi_29_0 (proc_abi))
(typeattributeset proc_asound_29_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_29_0 (proc_bluetooth_writable))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 9f40876..44044fb 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1820,7 +1820,8 @@
(typeattributeset privapp_data_file_30_0 (privapp_data_file))
(typeattributeset proc_30_0
( proc
- proc_bootconfig))
+ proc_bootconfig
+ proc_watermark_scale_factor))
(typeattributeset proc_abi_30_0 (proc_abi))
(typeattributeset proc_asound_30_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index ba6944e..0e90912 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -1974,6 +1974,7 @@
( proc
proc_bpf
proc_cpu_alignment
+ proc_watermark_scale_factor
))
(typeattributeset proc_abi_31_0 (proc_abi))
(typeattributeset proc_asound_31_0 (proc_asound))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 496832e..a5a3475 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -39,7 +39,6 @@
tare_service
transformer_service
proc_watermark_boost_factor
- proc_watermark_scale_factor
untrusted_app_30
proc_vendor_sched
sdk_sandbox_service
diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil
index a99b628..3672436 100644
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
@@ -1972,7 +1972,10 @@
(typeattributeset print_service_32_0 (print_service))
(typeattributeset priv_app_32_0 (priv_app))
(typeattributeset privapp_data_file_32_0 (privapp_data_file))
-(typeattributeset proc_32_0 (proc proc_bpf proc_cpu_alignment))
+(typeattributeset proc_32_0 (proc))
+(typeattributeset proc_32_0 (proc_bpf))
+(typeattributeset proc_32_0 (proc_cpu_alignment))
+(typeattributeset proc_32_0 (proc_watermark_scale_factor))
(typeattributeset proc_abi_32_0 (proc_abi))
(typeattributeset proc_asound_32_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_32_0 (proc_bluetooth_writable))
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index a07f5ae..50e3be7 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
device_config_vendor_system_native_prop
+ device_config_vendor_system_native_boot_prop
dice_maintenance_service
dice_node_service
diced
@@ -59,7 +60,6 @@
nearby_service
persist_wm_debug_prop
proc_watermark_boost_factor
- proc_watermark_scale_factor
remotelyprovisionedkeypool_service
resources_manager_service
rootdisk_sysdev
@@ -71,6 +71,7 @@
sysfs_gpu
sysfs_lru_gen_enabled
system_dlkm_file
+ system_user_mode_emulation_prop
tare_service
tv_iapp_service
untrusted_app_30
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
new file mode 100644
index 0000000..163a300
--- /dev/null
+++ b/private/compat/33.0/33.0.cil
@@ -0,0 +1,2628 @@
+;; types removed from current policy
+(type iorap_inode2filename)
+(type iorap_inode2filename_exec)
+(type iorap_inode2filename_tmpfs)
+(type iorap_prefetcherd)
+(type iorap_prefetcherd_exec)
+(type iorap_prefetcherd_tmpfs)
+(type iorapd)
+(type iorapd_data_file)
+(type iorapd_exec)
+(type iorapd_service)
+(type iorapd_tmpfs)
+(type lowpan_service)
+(type timezone_service)
+(type tzdatacheck)
+(type tzdatacheck_exec)
+(type wpantund)
+(type wpantund_exec)
+(type wpantund_service)
+(type zoneinfo_data_file)
+
+(expandtypeattribute (DockObserver_service_33_0) true)
+(expandtypeattribute (IProxyService_service_33_0) true)
+(expandtypeattribute (aac_drc_prop_33_0) true)
+(expandtypeattribute (aaudio_config_prop_33_0) true)
+(expandtypeattribute (ab_update_gki_prop_33_0) true)
+(expandtypeattribute (accessibility_service_33_0) true)
+(expandtypeattribute (account_service_33_0) true)
+(expandtypeattribute (activity_service_33_0) true)
+(expandtypeattribute (activity_task_service_33_0) true)
+(expandtypeattribute (adb_data_file_33_0) true)
+(expandtypeattribute (adb_keys_file_33_0) true)
+(expandtypeattribute (adb_service_33_0) true)
+(expandtypeattribute (adbd_33_0) true)
+(expandtypeattribute (adbd_config_prop_33_0) true)
+(expandtypeattribute (adbd_exec_33_0) true)
+(expandtypeattribute (adbd_socket_33_0) true)
+(expandtypeattribute (adservices_manager_service_33_0) true)
+(expandtypeattribute (aidl_lazy_test_server_33_0) true)
+(expandtypeattribute (aidl_lazy_test_server_exec_33_0) true)
+(expandtypeattribute (aidl_lazy_test_service_33_0) true)
+(expandtypeattribute (alarm_service_33_0) true)
+(expandtypeattribute (anr_data_file_33_0) true)
+(expandtypeattribute (apc_service_33_0) true)
+(expandtypeattribute (apex_data_file_33_0) true)
+(expandtypeattribute (apex_info_file_33_0) true)
+(expandtypeattribute (apex_metadata_file_33_0) true)
+(expandtypeattribute (apex_mnt_dir_33_0) true)
+(expandtypeattribute (apex_module_data_file_33_0) true)
+(expandtypeattribute (apex_ota_reserved_file_33_0) true)
+(expandtypeattribute (apex_rollback_data_file_33_0) true)
+(expandtypeattribute (apex_service_33_0) true)
+(expandtypeattribute (apex_system_server_data_file_33_0) true)
+(expandtypeattribute (apexd_33_0) true)
+(expandtypeattribute (apexd_config_prop_33_0) true)
+(expandtypeattribute (apexd_exec_33_0) true)
+(expandtypeattribute (apexd_prop_33_0) true)
+(expandtypeattribute (apexd_select_prop_33_0) true)
+(expandtypeattribute (apk_data_file_33_0) true)
+(expandtypeattribute (apk_private_data_file_33_0) true)
+(expandtypeattribute (apk_private_tmp_file_33_0) true)
+(expandtypeattribute (apk_tmp_file_33_0) true)
+(expandtypeattribute (apk_verity_prop_33_0) true)
+(expandtypeattribute (app_binding_service_33_0) true)
+(expandtypeattribute (app_data_file_33_0) true)
+(expandtypeattribute (app_fuse_file_33_0) true)
+(expandtypeattribute (app_fusefs_33_0) true)
+(expandtypeattribute (app_hibernation_service_33_0) true)
+(expandtypeattribute (app_integrity_service_33_0) true)
+(expandtypeattribute (app_prediction_service_33_0) true)
+(expandtypeattribute (app_search_service_33_0) true)
+(expandtypeattribute (app_zygote_33_0) true)
+(expandtypeattribute (app_zygote_tmpfs_33_0) true)
+(expandtypeattribute (appcompat_data_file_33_0) true)
+(expandtypeattribute (appdomain_tmpfs_33_0) true)
+(expandtypeattribute (appops_service_33_0) true)
+(expandtypeattribute (appwidget_service_33_0) true)
+(expandtypeattribute (arm64_memtag_prop_33_0) true)
+(expandtypeattribute (art_apex_dir_33_0) true)
+(expandtypeattribute (artd_service_33_0) true)
+(expandtypeattribute (asec_apk_file_33_0) true)
+(expandtypeattribute (asec_image_file_33_0) true)
+(expandtypeattribute (asec_public_file_33_0) true)
+(expandtypeattribute (ashmem_device_33_0) true)
+(expandtypeattribute (ashmem_libcutils_device_33_0) true)
+(expandtypeattribute (assetatlas_service_33_0) true)
+(expandtypeattribute (atrace_33_0) true)
+(expandtypeattribute (attestation_verification_service_33_0) true)
+(expandtypeattribute (audio_config_prop_33_0) true)
+(expandtypeattribute (audio_data_file_33_0) true)
+(expandtypeattribute (audio_device_33_0) true)
+(expandtypeattribute (audio_prop_33_0) true)
+(expandtypeattribute (audio_service_33_0) true)
+(expandtypeattribute (audiohal_data_file_33_0) true)
+(expandtypeattribute (audioserver_33_0) true)
+(expandtypeattribute (audioserver_data_file_33_0) true)
+(expandtypeattribute (audioserver_service_33_0) true)
+(expandtypeattribute (audioserver_tmpfs_33_0) true)
+(expandtypeattribute (auth_service_33_0) true)
+(expandtypeattribute (authorization_service_33_0) true)
+(expandtypeattribute (autofill_service_33_0) true)
+(expandtypeattribute (backup_data_file_33_0) true)
+(expandtypeattribute (backup_service_33_0) true)
+(expandtypeattribute (battery_service_33_0) true)
+(expandtypeattribute (batteryproperties_service_33_0) true)
+(expandtypeattribute (batterystats_service_33_0) true)
+(expandtypeattribute (binder_cache_bluetooth_server_prop_33_0) true)
+(expandtypeattribute (binder_cache_system_server_prop_33_0) true)
+(expandtypeattribute (binder_cache_telephony_server_prop_33_0) true)
+(expandtypeattribute (binder_calls_stats_service_33_0) true)
+(expandtypeattribute (binder_device_33_0) true)
+(expandtypeattribute (binderfs_33_0) true)
+(expandtypeattribute (binderfs_features_33_0) true)
+(expandtypeattribute (binderfs_logs_33_0) true)
+(expandtypeattribute (binderfs_logs_proc_33_0) true)
+(expandtypeattribute (binfmt_miscfs_33_0) true)
+(expandtypeattribute (biometric_service_33_0) true)
+(expandtypeattribute (blkid_33_0) true)
+(expandtypeattribute (blkid_untrusted_33_0) true)
+(expandtypeattribute (blob_store_service_33_0) true)
+(expandtypeattribute (block_device_33_0) true)
+(expandtypeattribute (bluetooth_33_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_33_0) true)
+(expandtypeattribute (bluetooth_audio_hal_prop_33_0) true)
+(expandtypeattribute (bluetooth_config_prop_33_0) true)
+(expandtypeattribute (bluetooth_data_file_33_0) true)
+(expandtypeattribute (bluetooth_efs_file_33_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_33_0) true)
+(expandtypeattribute (bluetooth_manager_service_33_0) true)
+(expandtypeattribute (bluetooth_prop_33_0) true)
+(expandtypeattribute (bluetooth_service_33_0) true)
+(expandtypeattribute (bluetooth_socket_33_0) true)
+(expandtypeattribute (boot_block_device_33_0) true)
+(expandtypeattribute (boot_status_prop_33_0) true)
+(expandtypeattribute (bootanim_33_0) true)
+(expandtypeattribute (bootanim_config_prop_33_0) true)
+(expandtypeattribute (bootanim_exec_33_0) true)
+(expandtypeattribute (bootanim_system_prop_33_0) true)
+(expandtypeattribute (bootchart_data_file_33_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_33_0) true)
+(expandtypeattribute (bootloader_prop_33_0) true)
+(expandtypeattribute (bootstat_33_0) true)
+(expandtypeattribute (bootstat_data_file_33_0) true)
+(expandtypeattribute (bootstat_exec_33_0) true)
+(expandtypeattribute (boottime_prop_33_0) true)
+(expandtypeattribute (boottime_public_prop_33_0) true)
+(expandtypeattribute (boottrace_data_file_33_0) true)
+(expandtypeattribute (bpf_progs_loaded_prop_33_0) true)
+(expandtypeattribute (bpfloader_33_0) true)
+(expandtypeattribute (bq_config_prop_33_0) true)
+(expandtypeattribute (broadcastradio_service_33_0) true)
+(expandtypeattribute (bufferhubd_33_0) true)
+(expandtypeattribute (bufferhubd_exec_33_0) true)
+(expandtypeattribute (bugreport_service_33_0) true)
+(expandtypeattribute (build_bootimage_prop_33_0) true)
+(expandtypeattribute (build_config_prop_33_0) true)
+(expandtypeattribute (build_odm_prop_33_0) true)
+(expandtypeattribute (build_prop_33_0) true)
+(expandtypeattribute (build_vendor_prop_33_0) true)
+(expandtypeattribute (cache_backup_file_33_0) true)
+(expandtypeattribute (cache_block_device_33_0) true)
+(expandtypeattribute (cache_file_33_0) true)
+(expandtypeattribute (cache_private_backup_file_33_0) true)
+(expandtypeattribute (cache_recovery_file_33_0) true)
+(expandtypeattribute (cacheinfo_service_33_0) true)
+(expandtypeattribute (camera2_extensions_prop_33_0) true)
+(expandtypeattribute (camera_calibration_prop_33_0) true)
+(expandtypeattribute (camera_config_prop_33_0) true)
+(expandtypeattribute (camera_data_file_33_0) true)
+(expandtypeattribute (camera_device_33_0) true)
+(expandtypeattribute (cameraproxy_service_33_0) true)
+(expandtypeattribute (cameraserver_33_0) true)
+(expandtypeattribute (cameraserver_exec_33_0) true)
+(expandtypeattribute (cameraserver_service_33_0) true)
+(expandtypeattribute (cameraserver_tmpfs_33_0) true)
+(expandtypeattribute (camerax_extensions_prop_33_0) true)
+(expandtypeattribute (cgroup_33_0) true)
+(expandtypeattribute (cgroup_desc_api_file_33_0) true)
+(expandtypeattribute (cgroup_desc_file_33_0) true)
+(expandtypeattribute (cgroup_rc_file_33_0) true)
+(expandtypeattribute (cgroup_v2_33_0) true)
+(expandtypeattribute (charger_33_0) true)
+(expandtypeattribute (charger_config_prop_33_0) true)
+(expandtypeattribute (charger_exec_33_0) true)
+(expandtypeattribute (charger_prop_33_0) true)
+(expandtypeattribute (charger_status_prop_33_0) true)
+(expandtypeattribute (charger_vendor_33_0) true)
+(expandtypeattribute (clipboard_service_33_0) true)
+(expandtypeattribute (cloudsearch_service_33_0) true)
+(expandtypeattribute (codec2_config_prop_33_0) true)
+(expandtypeattribute (cold_boot_done_prop_33_0) true)
+(expandtypeattribute (color_display_service_33_0) true)
+(expandtypeattribute (companion_device_service_33_0) true)
+(expandtypeattribute (config_prop_33_0) true)
+(expandtypeattribute (configfs_33_0) true)
+(expandtypeattribute (connectivity_native_service_33_0) true)
+(expandtypeattribute (connectivity_service_33_0) true)
+(expandtypeattribute (connmetrics_service_33_0) true)
+(expandtypeattribute (console_device_33_0) true)
+(expandtypeattribute (consumer_ir_service_33_0) true)
+(expandtypeattribute (content_capture_service_33_0) true)
+(expandtypeattribute (content_service_33_0) true)
+(expandtypeattribute (content_suggestions_service_33_0) true)
+(expandtypeattribute (contexthub_service_33_0) true)
+(expandtypeattribute (coredump_file_33_0) true)
+(expandtypeattribute (country_detector_service_33_0) true)
+(expandtypeattribute (coverage_service_33_0) true)
+(expandtypeattribute (cppreopt_prop_33_0) true)
+(expandtypeattribute (cpu_variant_prop_33_0) true)
+(expandtypeattribute (cpuinfo_service_33_0) true)
+(expandtypeattribute (crash_dump_33_0) true)
+(expandtypeattribute (crash_dump_exec_33_0) true)
+(expandtypeattribute (credstore_33_0) true)
+(expandtypeattribute (credstore_data_file_33_0) true)
+(expandtypeattribute (credstore_exec_33_0) true)
+(expandtypeattribute (credstore_service_33_0) true)
+(expandtypeattribute (crossprofileapps_service_33_0) true)
+(expandtypeattribute (ctl_adbd_prop_33_0) true)
+(expandtypeattribute (ctl_apexd_prop_33_0) true)
+(expandtypeattribute (ctl_bootanim_prop_33_0) true)
+(expandtypeattribute (ctl_bugreport_prop_33_0) true)
+(expandtypeattribute (ctl_console_prop_33_0) true)
+(expandtypeattribute (ctl_default_prop_33_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_33_0) true)
+(expandtypeattribute (ctl_fuse_prop_33_0) true)
+(expandtypeattribute (ctl_gsid_prop_33_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_33_0) true)
+(expandtypeattribute (ctl_interface_start_prop_33_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_33_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_33_0) true)
+(expandtypeattribute (ctl_restart_prop_33_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_33_0) true)
+(expandtypeattribute (ctl_sigstop_prop_33_0) true)
+(expandtypeattribute (ctl_start_prop_33_0) true)
+(expandtypeattribute (ctl_stop_prop_33_0) true)
+(expandtypeattribute (dalvik_config_prop_33_0) true)
+(expandtypeattribute (dalvik_prop_33_0) true)
+(expandtypeattribute (dalvik_runtime_prop_33_0) true)
+(expandtypeattribute (dalvikcache_data_file_33_0) true)
+(expandtypeattribute (dataloader_manager_service_33_0) true)
+(expandtypeattribute (dbinfo_service_33_0) true)
+(expandtypeattribute (dck_prop_33_0) true)
+(expandtypeattribute (debug_prop_33_0) true)
+(expandtypeattribute (debugfs_33_0) true)
+(expandtypeattribute (debugfs_bootreceiver_tracing_33_0) true)
+(expandtypeattribute (debugfs_kprobes_33_0) true)
+(expandtypeattribute (debugfs_mm_events_tracing_33_0) true)
+(expandtypeattribute (debugfs_mmc_33_0) true)
+(expandtypeattribute (debugfs_restriction_prop_33_0) true)
+(expandtypeattribute (debugfs_trace_marker_33_0) true)
+(expandtypeattribute (debugfs_tracing_33_0) true)
+(expandtypeattribute (debugfs_tracing_debug_33_0) true)
+(expandtypeattribute (debugfs_tracing_instances_33_0) true)
+(expandtypeattribute (debugfs_tracing_printk_formats_33_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_33_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_33_0) true)
+(expandtypeattribute (debuggerd_prop_33_0) true)
+(expandtypeattribute (default_android_hwservice_33_0) true)
+(expandtypeattribute (default_android_service_33_0) true)
+(expandtypeattribute (default_android_vndservice_33_0) true)
+(expandtypeattribute (default_prop_33_0) true)
+(expandtypeattribute (dev_cpu_variant_33_0) true)
+(expandtypeattribute (device_33_0) true)
+(expandtypeattribute (device_config_activity_manager_native_boot_prop_33_0) true)
+(expandtypeattribute (device_config_boot_count_prop_33_0) true)
+(expandtypeattribute (device_config_input_native_boot_prop_33_0) true)
+(expandtypeattribute (device_config_media_native_prop_33_0) true)
+(expandtypeattribute (device_config_netd_native_prop_33_0) true)
+(expandtypeattribute (device_config_nnapi_native_prop_33_0) true)
+(expandtypeattribute (device_config_reset_performed_prop_33_0) true)
+(expandtypeattribute (device_config_runtime_native_boot_prop_33_0) true)
+(expandtypeattribute (device_config_runtime_native_prop_33_0) true)
+(expandtypeattribute (device_config_service_33_0) true)
+(expandtypeattribute (device_config_surface_flinger_native_boot_prop_33_0) true)
+(expandtypeattribute (device_identifiers_service_33_0) true)
+(expandtypeattribute (device_logging_prop_33_0) true)
+(expandtypeattribute (device_policy_service_33_0) true)
+(expandtypeattribute (device_state_service_33_0) true)
+(expandtypeattribute (deviceidle_service_33_0) true)
+(expandtypeattribute (devicestoragemonitor_service_33_0) true)
+(expandtypeattribute (devpts_33_0) true)
+(expandtypeattribute (dhcp_33_0) true)
+(expandtypeattribute (dhcp_data_file_33_0) true)
+(expandtypeattribute (dhcp_exec_33_0) true)
+(expandtypeattribute (dhcp_prop_33_0) true)
+(expandtypeattribute (dice_maintenance_service_33_0) true)
+(expandtypeattribute (dice_node_service_33_0) true)
+(expandtypeattribute (diced_33_0) true)
+(expandtypeattribute (diced_exec_33_0) true)
+(expandtypeattribute (diskstats_service_33_0) true)
+(expandtypeattribute (display_service_33_0) true)
+(expandtypeattribute (dm_device_33_0) true)
+(expandtypeattribute (dm_user_device_33_0) true)
+(expandtypeattribute (dmabuf_heap_device_33_0) true)
+(expandtypeattribute (dmabuf_system_heap_device_33_0) true)
+(expandtypeattribute (dmabuf_system_secure_heap_device_33_0) true)
+(expandtypeattribute (dnsmasq_33_0) true)
+(expandtypeattribute (dnsmasq_exec_33_0) true)
+(expandtypeattribute (dnsproxyd_socket_33_0) true)
+(expandtypeattribute (dnsresolver_service_33_0) true)
+(expandtypeattribute (domain_verification_service_33_0) true)
+(expandtypeattribute (dreams_service_33_0) true)
+(expandtypeattribute (drm_data_file_33_0) true)
+(expandtypeattribute (drm_service_config_prop_33_0) true)
+(expandtypeattribute (drmserver_33_0) true)
+(expandtypeattribute (drmserver_exec_33_0) true)
+(expandtypeattribute (drmserver_service_33_0) true)
+(expandtypeattribute (drmserver_socket_33_0) true)
+(expandtypeattribute (dropbox_data_file_33_0) true)
+(expandtypeattribute (dropbox_service_33_0) true)
+(expandtypeattribute (dumpstate_33_0) true)
+(expandtypeattribute (dumpstate_exec_33_0) true)
+(expandtypeattribute (dumpstate_options_prop_33_0) true)
+(expandtypeattribute (dumpstate_prop_33_0) true)
+(expandtypeattribute (dumpstate_service_33_0) true)
+(expandtypeattribute (dumpstate_socket_33_0) true)
+(expandtypeattribute (dynamic_system_prop_33_0) true)
+(expandtypeattribute (e2fs_33_0) true)
+(expandtypeattribute (e2fs_exec_33_0) true)
+(expandtypeattribute (efs_file_33_0) true)
+(expandtypeattribute (emergency_affordance_service_33_0) true)
+(expandtypeattribute (ephemeral_app_33_0) true)
+(expandtypeattribute (ethernet_service_33_0) true)
+(expandtypeattribute (evsmanagerd_33_0) true)
+(expandtypeattribute (evsmanagerd_service_33_0) true)
+(expandtypeattribute (exfat_33_0) true)
+(expandtypeattribute (exported3_system_prop_33_0) true)
+(expandtypeattribute (exported_bluetooth_prop_33_0) true)
+(expandtypeattribute (exported_camera_prop_33_0) true)
+(expandtypeattribute (exported_config_prop_33_0) true)
+(expandtypeattribute (exported_default_prop_33_0) true)
+(expandtypeattribute (exported_dumpstate_prop_33_0) true)
+(expandtypeattribute (exported_overlay_prop_33_0) true)
+(expandtypeattribute (exported_pm_prop_33_0) true)
+(expandtypeattribute (exported_secure_prop_33_0) true)
+(expandtypeattribute (exported_system_prop_33_0) true)
+(expandtypeattribute (external_vibrator_service_33_0) true)
+(expandtypeattribute (extra_free_kbytes_33_0) true)
+(expandtypeattribute (extra_free_kbytes_exec_33_0) true)
+(expandtypeattribute (face_service_33_0) true)
+(expandtypeattribute (face_vendor_data_file_33_0) true)
+(expandtypeattribute (fastbootd_33_0) true)
+(expandtypeattribute (ffs_config_prop_33_0) true)
+(expandtypeattribute (ffs_control_prop_33_0) true)
+(expandtypeattribute (file_contexts_file_33_0) true)
+(expandtypeattribute (file_integrity_service_33_0) true)
+(expandtypeattribute (fingerprint_prop_33_0) true)
+(expandtypeattribute (fingerprint_service_33_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_33_0) true)
+(expandtypeattribute (fingerprintd_33_0) true)
+(expandtypeattribute (fingerprintd_data_file_33_0) true)
+(expandtypeattribute (fingerprintd_exec_33_0) true)
+(expandtypeattribute (fingerprintd_service_33_0) true)
+(expandtypeattribute (firstboot_prop_33_0) true)
+(expandtypeattribute (flags_health_check_33_0) true)
+(expandtypeattribute (flags_health_check_exec_33_0) true)
+(expandtypeattribute (font_service_33_0) true)
+(expandtypeattribute (framework_watchdog_config_prop_33_0) true)
+(expandtypeattribute (frp_block_device_33_0) true)
+(expandtypeattribute (fs_bpf_33_0) true)
+(expandtypeattribute (fs_bpf_tethering_33_0) true)
+(expandtypeattribute (fs_bpf_vendor_33_0) true)
+(expandtypeattribute (fsck_33_0) true)
+(expandtypeattribute (fsck_exec_33_0) true)
+(expandtypeattribute (fsck_untrusted_33_0) true)
+(expandtypeattribute (fscklogs_33_0) true)
+(expandtypeattribute (functionfs_33_0) true)
+(expandtypeattribute (fuse_33_0) true)
+(expandtypeattribute (fuse_device_33_0) true)
+(expandtypeattribute (fusectlfs_33_0) true)
+(expandtypeattribute (fwk_automotive_display_hwservice_33_0) true)
+(expandtypeattribute (fwk_automotive_display_service_33_0) true)
+(expandtypeattribute (fwk_bufferhub_hwservice_33_0) true)
+(expandtypeattribute (fwk_camera_hwservice_33_0) true)
+(expandtypeattribute (fwk_display_hwservice_33_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_33_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_33_0) true)
+(expandtypeattribute (fwk_stats_hwservice_33_0) true)
+(expandtypeattribute (fwk_stats_service_33_0) true)
+(expandtypeattribute (fwmarkd_socket_33_0) true)
+(expandtypeattribute (game_mode_intervention_list_file_33_0) true)
+(expandtypeattribute (game_service_33_0) true)
+(expandtypeattribute (gatekeeper_data_file_33_0) true)
+(expandtypeattribute (gatekeeper_service_33_0) true)
+(expandtypeattribute (gatekeeperd_33_0) true)
+(expandtypeattribute (gatekeeperd_exec_33_0) true)
+(expandtypeattribute (gesture_prop_33_0) true)
+(expandtypeattribute (gfxinfo_service_33_0) true)
+(expandtypeattribute (gmscore_app_33_0) true)
+(expandtypeattribute (gnss_device_33_0) true)
+(expandtypeattribute (gnss_time_update_service_33_0) true)
+(expandtypeattribute (gps_control_33_0) true)
+(expandtypeattribute (gpu_device_33_0) true)
+(expandtypeattribute (gpu_service_33_0) true)
+(expandtypeattribute (gpuservice_33_0) true)
+(expandtypeattribute (graphics_config_prop_33_0) true)
+(expandtypeattribute (graphics_device_33_0) true)
+(expandtypeattribute (graphicsstats_service_33_0) true)
+(expandtypeattribute (gsi_data_file_33_0) true)
+(expandtypeattribute (gsi_metadata_file_33_0) true)
+(expandtypeattribute (gsi_public_metadata_file_33_0) true)
+(expandtypeattribute (gwp_asan_prop_33_0) true)
+(expandtypeattribute (hal_atrace_hwservice_33_0) true)
+(expandtypeattribute (hal_audio_hwservice_33_0) true)
+(expandtypeattribute (hal_audio_service_33_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_33_0) true)
+(expandtypeattribute (hal_audiocontrol_service_33_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_33_0) true)
+(expandtypeattribute (hal_authsecret_service_33_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_33_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_33_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_33_0) true)
+(expandtypeattribute (hal_camera_hwservice_33_0) true)
+(expandtypeattribute (hal_camera_service_33_0) true)
+(expandtypeattribute (hal_can_bus_hwservice_33_0) true)
+(expandtypeattribute (hal_can_controller_hwservice_33_0) true)
+(expandtypeattribute (hal_cas_hwservice_33_0) true)
+(expandtypeattribute (hal_codec2_hwservice_33_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_33_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_33_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_33_0) true)
+(expandtypeattribute (hal_contexthub_service_33_0) true)
+(expandtypeattribute (hal_dice_service_33_0) true)
+(expandtypeattribute (hal_drm_hwservice_33_0) true)
+(expandtypeattribute (hal_drm_service_33_0) true)
+(expandtypeattribute (hal_dumpstate_config_prop_33_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_33_0) true)
+(expandtypeattribute (hal_dumpstate_service_33_0) true)
+(expandtypeattribute (hal_evs_hwservice_33_0) true)
+(expandtypeattribute (hal_evs_service_33_0) true)
+(expandtypeattribute (hal_face_hwservice_33_0) true)
+(expandtypeattribute (hal_face_service_33_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_33_0) true)
+(expandtypeattribute (hal_fingerprint_service_33_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_33_0) true)
+(expandtypeattribute (hal_gnss_hwservice_33_0) true)
+(expandtypeattribute (hal_gnss_service_33_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_33_0) true)
+(expandtypeattribute (hal_graphics_allocator_service_33_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_33_0) true)
+(expandtypeattribute (hal_graphics_composer_server_tmpfs_33_0) true)
+(expandtypeattribute (hal_graphics_composer_service_33_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_33_0) true)
+(expandtypeattribute (hal_health_hwservice_33_0) true)
+(expandtypeattribute (hal_health_service_33_0) true)
+(expandtypeattribute (hal_health_storage_hwservice_33_0) true)
+(expandtypeattribute (hal_health_storage_service_33_0) true)
+(expandtypeattribute (hal_identity_service_33_0) true)
+(expandtypeattribute (hal_input_classifier_hwservice_33_0) true)
+(expandtypeattribute (hal_input_processor_service_33_0) true)
+(expandtypeattribute (hal_instrumentation_prop_33_0) true)
+(expandtypeattribute (hal_ir_hwservice_33_0) true)
+(expandtypeattribute (hal_ir_service_33_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_33_0) true)
+(expandtypeattribute (hal_keymint_service_33_0) true)
+(expandtypeattribute (hal_light_hwservice_33_0) true)
+(expandtypeattribute (hal_light_service_33_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_33_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_33_0) true)
+(expandtypeattribute (hal_memtrack_service_33_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_33_0) true)
+(expandtypeattribute (hal_neuralnetworks_service_33_0) true)
+(expandtypeattribute (hal_nfc_hwservice_33_0) true)
+(expandtypeattribute (hal_nfc_service_33_0) true)
+(expandtypeattribute (hal_nlinterceptor_service_33_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_33_0) true)
+(expandtypeattribute (hal_oemlock_service_33_0) true)
+(expandtypeattribute (hal_omx_hwservice_33_0) true)
+(expandtypeattribute (hal_power_hwservice_33_0) true)
+(expandtypeattribute (hal_power_service_33_0) true)
+(expandtypeattribute (hal_power_stats_hwservice_33_0) true)
+(expandtypeattribute (hal_power_stats_service_33_0) true)
+(expandtypeattribute (hal_radio_service_33_0) true)
+(expandtypeattribute (hal_rebootescrow_service_33_0) true)
+(expandtypeattribute (hal_remotelyprovisionedcomponent_service_33_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_33_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_33_0) true)
+(expandtypeattribute (hal_secureclock_service_33_0) true)
+(expandtypeattribute (hal_sensors_hwservice_33_0) true)
+(expandtypeattribute (hal_sensors_service_33_0) true)
+(expandtypeattribute (hal_sharedsecret_service_33_0) true)
+(expandtypeattribute (hal_system_suspend_service_33_0) true)
+(expandtypeattribute (hal_telephony_hwservice_33_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_33_0) true)
+(expandtypeattribute (hal_thermal_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_tuner_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_tuner_service_33_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_33_0) true)
+(expandtypeattribute (hal_usb_hwservice_33_0) true)
+(expandtypeattribute (hal_usb_service_33_0) true)
+(expandtypeattribute (hal_uwb_service_33_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_33_0) true)
+(expandtypeattribute (hal_vehicle_service_33_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_33_0) true)
+(expandtypeattribute (hal_vibrator_service_33_0) true)
+(expandtypeattribute (hal_vr_hwservice_33_0) true)
+(expandtypeattribute (hal_weaver_hwservice_33_0) true)
+(expandtypeattribute (hal_weaver_service_33_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_33_0) true)
+(expandtypeattribute (hal_wifi_hostapd_service_33_0) true)
+(expandtypeattribute (hal_wifi_hwservice_33_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_33_0) true)
+(expandtypeattribute (hal_wifi_supplicant_service_33_0) true)
+(expandtypeattribute (hardware_properties_service_33_0) true)
+(expandtypeattribute (hardware_service_33_0) true)
+(expandtypeattribute (hci_attach_dev_33_0) true)
+(expandtypeattribute (hdmi_config_prop_33_0) true)
+(expandtypeattribute (hdmi_control_service_33_0) true)
+(expandtypeattribute (healthd_33_0) true)
+(expandtypeattribute (heapdump_data_file_33_0) true)
+(expandtypeattribute (heapprofd_33_0) true)
+(expandtypeattribute (heapprofd_enabled_prop_33_0) true)
+(expandtypeattribute (heapprofd_prop_33_0) true)
+(expandtypeattribute (heapprofd_socket_33_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_33_0) true)
+(expandtypeattribute (hidl_base_hwservice_33_0) true)
+(expandtypeattribute (hidl_manager_hwservice_33_0) true)
+(expandtypeattribute (hidl_memory_hwservice_33_0) true)
+(expandtypeattribute (hidl_token_hwservice_33_0) true)
+(expandtypeattribute (hint_service_33_0) true)
+(expandtypeattribute (hw_random_device_33_0) true)
+(expandtypeattribute (hw_timeout_multiplier_prop_33_0) true)
+(expandtypeattribute (hwbinder_device_33_0) true)
+(expandtypeattribute (hwservice_contexts_file_33_0) true)
+(expandtypeattribute (hwservicemanager_33_0) true)
+(expandtypeattribute (hwservicemanager_exec_33_0) true)
+(expandtypeattribute (hwservicemanager_prop_33_0) true)
+(expandtypeattribute (hypervisor_prop_33_0) true)
+(expandtypeattribute (icon_file_33_0) true)
+(expandtypeattribute (idmap_33_0) true)
+(expandtypeattribute (idmap_exec_33_0) true)
+(expandtypeattribute (idmap_service_33_0) true)
+(expandtypeattribute (iio_device_33_0) true)
+(expandtypeattribute (imms_service_33_0) true)
+(expandtypeattribute (incident_33_0) true)
+(expandtypeattribute (incident_data_file_33_0) true)
+(expandtypeattribute (incident_helper_33_0) true)
+(expandtypeattribute (incident_service_33_0) true)
+(expandtypeattribute (incidentd_33_0) true)
+(expandtypeattribute (incremental_control_file_33_0) true)
+(expandtypeattribute (incremental_prop_33_0) true)
+(expandtypeattribute (incremental_service_33_0) true)
+(expandtypeattribute (init_33_0) true)
+(expandtypeattribute (init_exec_33_0) true)
+(expandtypeattribute (init_service_status_prop_33_0) true)
+(expandtypeattribute (init_tmpfs_33_0) true)
+(expandtypeattribute (inotify_33_0) true)
+(expandtypeattribute (input_device_33_0) true)
+(expandtypeattribute (input_method_service_33_0) true)
+(expandtypeattribute (input_service_33_0) true)
+(expandtypeattribute (inputflinger_33_0) true)
+(expandtypeattribute (inputflinger_exec_33_0) true)
+(expandtypeattribute (inputflinger_service_33_0) true)
+(expandtypeattribute (install_data_file_33_0) true)
+(expandtypeattribute (installd_33_0) true)
+(expandtypeattribute (installd_exec_33_0) true)
+(expandtypeattribute (installd_service_33_0) true)
+(expandtypeattribute (ion_device_33_0) true)
+(expandtypeattribute (iorap_inode2filename_33_0) true)
+(expandtypeattribute (iorap_inode2filename_exec_33_0) true)
+(expandtypeattribute (iorap_inode2filename_tmpfs_33_0) true)
+(expandtypeattribute (iorap_prefetcherd_33_0) true)
+(expandtypeattribute (iorap_prefetcherd_exec_33_0) true)
+(expandtypeattribute (iorap_prefetcherd_tmpfs_33_0) true)
+(expandtypeattribute (iorapd_33_0) true)
+(expandtypeattribute (iorapd_data_file_33_0) true)
+(expandtypeattribute (iorapd_exec_33_0) true)
+(expandtypeattribute (iorapd_service_33_0) true)
+(expandtypeattribute (iorapd_tmpfs_33_0) true)
+(expandtypeattribute (ipsec_service_33_0) true)
+(expandtypeattribute (iris_service_33_0) true)
+(expandtypeattribute (iris_vendor_data_file_33_0) true)
+(expandtypeattribute (isolated_app_33_0) true)
+(expandtypeattribute (jobscheduler_service_33_0) true)
+(expandtypeattribute (kernel_33_0) true)
+(expandtypeattribute (keychain_data_file_33_0) true)
+(expandtypeattribute (keychord_device_33_0) true)
+(expandtypeattribute (keyguard_config_prop_33_0) true)
+(expandtypeattribute (keystore2_key_contexts_file_33_0) true)
+(expandtypeattribute (keystore_33_0) true)
+(expandtypeattribute (keystore_compat_hal_service_33_0) true)
+(expandtypeattribute (keystore_data_file_33_0) true)
+(expandtypeattribute (keystore_exec_33_0) true)
+(expandtypeattribute (keystore_maintenance_service_33_0) true)
+(expandtypeattribute (keystore_metrics_service_33_0) true)
+(expandtypeattribute (keystore_service_33_0) true)
+(expandtypeattribute (kmsg_debug_device_33_0) true)
+(expandtypeattribute (kmsg_device_33_0) true)
+(expandtypeattribute (labeledfs_33_0) true)
+(expandtypeattribute (launcherapps_service_33_0) true)
+(expandtypeattribute (legacy_permission_service_33_0) true)
+(expandtypeattribute (legacykeystore_service_33_0) true)
+(expandtypeattribute (libc_debug_prop_33_0) true)
+(expandtypeattribute (light_service_33_0) true)
+(expandtypeattribute (linkerconfig_file_33_0) true)
+(expandtypeattribute (llkd_33_0) true)
+(expandtypeattribute (llkd_exec_33_0) true)
+(expandtypeattribute (llkd_prop_33_0) true)
+(expandtypeattribute (lmkd_33_0) true)
+(expandtypeattribute (lmkd_config_prop_33_0) true)
+(expandtypeattribute (lmkd_exec_33_0) true)
+(expandtypeattribute (lmkd_prop_33_0) true)
+(expandtypeattribute (lmkd_socket_33_0) true)
+(expandtypeattribute (locale_service_33_0) true)
+(expandtypeattribute (location_service_33_0) true)
+(expandtypeattribute (location_time_zone_manager_service_33_0) true)
+(expandtypeattribute (lock_settings_service_33_0) true)
+(expandtypeattribute (log_prop_33_0) true)
+(expandtypeattribute (log_tag_prop_33_0) true)
+(expandtypeattribute (logcat_exec_33_0) true)
+(expandtypeattribute (logd_33_0) true)
+(expandtypeattribute (logd_exec_33_0) true)
+(expandtypeattribute (logd_prop_33_0) true)
+(expandtypeattribute (logd_socket_33_0) true)
+(expandtypeattribute (logdr_socket_33_0) true)
+(expandtypeattribute (logdw_socket_33_0) true)
+(expandtypeattribute (logpersist_33_0) true)
+(expandtypeattribute (logpersistd_logging_prop_33_0) true)
+(expandtypeattribute (loop_control_device_33_0) true)
+(expandtypeattribute (loop_device_33_0) true)
+(expandtypeattribute (looper_stats_service_33_0) true)
+(expandtypeattribute (lowpan_device_33_0) true)
+(expandtypeattribute (lowpan_prop_33_0) true)
+(expandtypeattribute (lowpan_service_33_0) true)
+(expandtypeattribute (lpdump_service_33_0) true)
+(expandtypeattribute (lpdumpd_prop_33_0) true)
+(expandtypeattribute (mac_perms_file_33_0) true)
+(expandtypeattribute (mdns_service_33_0) true)
+(expandtypeattribute (mdns_socket_33_0) true)
+(expandtypeattribute (mdnsd_33_0) true)
+(expandtypeattribute (mdnsd_socket_33_0) true)
+(expandtypeattribute (media_communication_service_33_0) true)
+(expandtypeattribute (media_config_prop_33_0) true)
+(expandtypeattribute (media_data_file_33_0) true)
+(expandtypeattribute (media_metrics_service_33_0) true)
+(expandtypeattribute (media_projection_service_33_0) true)
+(expandtypeattribute (media_router_service_33_0) true)
+(expandtypeattribute (media_rw_data_file_33_0) true)
+(expandtypeattribute (media_session_service_33_0) true)
+(expandtypeattribute (media_variant_prop_33_0) true)
+(expandtypeattribute (mediadrm_config_prop_33_0) true)
+(expandtypeattribute (mediadrmserver_33_0) true)
+(expandtypeattribute (mediadrmserver_exec_33_0) true)
+(expandtypeattribute (mediadrmserver_service_33_0) true)
+(expandtypeattribute (mediaextractor_33_0) true)
+(expandtypeattribute (mediaextractor_exec_33_0) true)
+(expandtypeattribute (mediaextractor_service_33_0) true)
+(expandtypeattribute (mediaextractor_tmpfs_33_0) true)
+(expandtypeattribute (mediametrics_33_0) true)
+(expandtypeattribute (mediametrics_exec_33_0) true)
+(expandtypeattribute (mediametrics_service_33_0) true)
+(expandtypeattribute (mediaprovider_33_0) true)
+(expandtypeattribute (mediaserver_33_0) true)
+(expandtypeattribute (mediaserver_exec_33_0) true)
+(expandtypeattribute (mediaserver_service_33_0) true)
+(expandtypeattribute (mediaserver_tmpfs_33_0) true)
+(expandtypeattribute (mediaswcodec_33_0) true)
+(expandtypeattribute (mediaswcodec_exec_33_0) true)
+(expandtypeattribute (mediatranscoding_33_0) true)
+(expandtypeattribute (mediatranscoding_service_33_0) true)
+(expandtypeattribute (meminfo_service_33_0) true)
+(expandtypeattribute (memtrackproxy_service_33_0) true)
+(expandtypeattribute (metadata_block_device_33_0) true)
+(expandtypeattribute (metadata_bootstat_file_33_0) true)
+(expandtypeattribute (metadata_file_33_0) true)
+(expandtypeattribute (method_trace_data_file_33_0) true)
+(expandtypeattribute (midi_service_33_0) true)
+(expandtypeattribute (mirror_data_file_33_0) true)
+(expandtypeattribute (misc_block_device_33_0) true)
+(expandtypeattribute (misc_logd_file_33_0) true)
+(expandtypeattribute (misc_user_data_file_33_0) true)
+(expandtypeattribute (mm_events_config_prop_33_0) true)
+(expandtypeattribute (mmc_prop_33_0) true)
+(expandtypeattribute (mnt_expand_file_33_0) true)
+(expandtypeattribute (mnt_media_rw_file_33_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_33_0) true)
+(expandtypeattribute (mnt_pass_through_file_33_0) true)
+(expandtypeattribute (mnt_product_file_33_0) true)
+(expandtypeattribute (mnt_sdcard_file_33_0) true)
+(expandtypeattribute (mnt_user_file_33_0) true)
+(expandtypeattribute (mnt_vendor_file_33_0) true)
+(expandtypeattribute (mock_ota_prop_33_0) true)
+(expandtypeattribute (modprobe_33_0) true)
+(expandtypeattribute (module_sdkextensions_prop_33_0) true)
+(expandtypeattribute (mount_service_33_0) true)
+(expandtypeattribute (mqueue_33_0) true)
+(expandtypeattribute (mtp_33_0) true)
+(expandtypeattribute (mtp_device_33_0) true)
+(expandtypeattribute (mtp_exec_33_0) true)
+(expandtypeattribute (mtpd_socket_33_0) true)
+(expandtypeattribute (music_recognition_service_33_0) true)
+(expandtypeattribute (nativetest_data_file_33_0) true)
+(expandtypeattribute (nearby_service_33_0) true)
+(expandtypeattribute (net_data_file_33_0) true)
+(expandtypeattribute (net_dns_prop_33_0) true)
+(expandtypeattribute (net_radio_prop_33_0) true)
+(expandtypeattribute (netd_33_0) true)
+(expandtypeattribute (netd_exec_33_0) true)
+(expandtypeattribute (netd_listener_service_33_0) true)
+(expandtypeattribute (netd_service_33_0) true)
+(expandtypeattribute (netif_33_0) true)
+(expandtypeattribute (netpolicy_service_33_0) true)
+(expandtypeattribute (netstats_service_33_0) true)
+(expandtypeattribute (netutils_wrapper_33_0) true)
+(expandtypeattribute (netutils_wrapper_exec_33_0) true)
+(expandtypeattribute (network_management_service_33_0) true)
+(expandtypeattribute (network_score_service_33_0) true)
+(expandtypeattribute (network_stack_33_0) true)
+(expandtypeattribute (network_stack_service_33_0) true)
+(expandtypeattribute (network_time_update_service_33_0) true)
+(expandtypeattribute (network_watchlist_data_file_33_0) true)
+(expandtypeattribute (network_watchlist_service_33_0) true)
+(expandtypeattribute (nfc_33_0) true)
+(expandtypeattribute (nfc_data_file_33_0) true)
+(expandtypeattribute (nfc_device_33_0) true)
+(expandtypeattribute (nfc_logs_data_file_33_0) true)
+(expandtypeattribute (nfc_prop_33_0) true)
+(expandtypeattribute (nfc_service_33_0) true)
+(expandtypeattribute (nnapi_ext_deny_product_prop_33_0) true)
+(expandtypeattribute (node_33_0) true)
+(expandtypeattribute (notification_service_33_0) true)
+(expandtypeattribute (null_device_33_0) true)
+(expandtypeattribute (oem_lock_service_33_0) true)
+(expandtypeattribute (oem_unlock_prop_33_0) true)
+(expandtypeattribute (oemfs_33_0) true)
+(expandtypeattribute (ota_data_file_33_0) true)
+(expandtypeattribute (ota_metadata_file_33_0) true)
+(expandtypeattribute (ota_package_file_33_0) true)
+(expandtypeattribute (ota_prop_33_0) true)
+(expandtypeattribute (otadexopt_service_33_0) true)
+(expandtypeattribute (otapreopt_chroot_33_0) true)
+(expandtypeattribute (overlay_prop_33_0) true)
+(expandtypeattribute (overlay_service_33_0) true)
+(expandtypeattribute (overlayfs_file_33_0) true)
+(expandtypeattribute (owntty_device_33_0) true)
+(expandtypeattribute (pac_proxy_service_33_0) true)
+(expandtypeattribute (package_native_service_33_0) true)
+(expandtypeattribute (package_service_33_0) true)
+(expandtypeattribute (packagemanager_config_prop_33_0) true)
+(expandtypeattribute (packages_list_file_33_0) true)
+(expandtypeattribute (pan_result_prop_33_0) true)
+(expandtypeattribute (password_slot_metadata_file_33_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_33_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_33_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_display_dir_33_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_33_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_performance_dir_33_0) true)
+(expandtypeattribute (people_service_33_0) true)
+(expandtypeattribute (perfetto_33_0) true)
+(expandtypeattribute (performanced_33_0) true)
+(expandtypeattribute (performanced_exec_33_0) true)
+(expandtypeattribute (permission_checker_service_33_0) true)
+(expandtypeattribute (permission_service_33_0) true)
+(expandtypeattribute (permissionmgr_service_33_0) true)
+(expandtypeattribute (persist_debug_prop_33_0) true)
+(expandtypeattribute (persist_vendor_debug_wifi_prop_33_0) true)
+(expandtypeattribute (persist_wm_debug_prop_33_0) true)
+(expandtypeattribute (persistent_data_block_service_33_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_33_0) true)
+(expandtypeattribute (pinner_service_33_0) true)
+(expandtypeattribute (pipefs_33_0) true)
+(expandtypeattribute (platform_app_33_0) true)
+(expandtypeattribute (platform_compat_service_33_0) true)
+(expandtypeattribute (pmsg_device_33_0) true)
+(expandtypeattribute (port_33_0) true)
+(expandtypeattribute (port_device_33_0) true)
+(expandtypeattribute (postinstall_33_0) true)
+(expandtypeattribute (postinstall_apex_mnt_dir_33_0) true)
+(expandtypeattribute (postinstall_file_33_0) true)
+(expandtypeattribute (postinstall_mnt_dir_33_0) true)
+(expandtypeattribute (power_debug_prop_33_0) true)
+(expandtypeattribute (power_service_33_0) true)
+(expandtypeattribute (powerctl_prop_33_0) true)
+(expandtypeattribute (powerstats_service_33_0) true)
+(expandtypeattribute (ppp_33_0) true)
+(expandtypeattribute (ppp_device_33_0) true)
+(expandtypeattribute (ppp_exec_33_0) true)
+(expandtypeattribute (preloads_data_file_33_0) true)
+(expandtypeattribute (preloads_media_file_33_0) true)
+(expandtypeattribute (prereboot_data_file_33_0) true)
+(expandtypeattribute (print_service_33_0) true)
+(expandtypeattribute (priv_app_33_0) true)
+(expandtypeattribute (privapp_data_file_33_0) true)
+(expandtypeattribute (proc_33_0) true)
+(expandtypeattribute (proc_abi_33_0) true)
+(expandtypeattribute (proc_asound_33_0) true)
+(expandtypeattribute (proc_bluetooth_writable_33_0) true)
+(expandtypeattribute (proc_bootconfig_33_0) true)
+(expandtypeattribute (proc_bpf_33_0) true)
+(expandtypeattribute (proc_buddyinfo_33_0) true)
+(expandtypeattribute (proc_cmdline_33_0) true)
+(expandtypeattribute (proc_cpu_alignment_33_0) true)
+(expandtypeattribute (proc_cpuinfo_33_0) true)
+(expandtypeattribute (proc_dirty_33_0) true)
+(expandtypeattribute (proc_diskstats_33_0) true)
+(expandtypeattribute (proc_drop_caches_33_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_33_0) true)
+(expandtypeattribute (proc_filesystems_33_0) true)
+(expandtypeattribute (proc_fs_verity_33_0) true)
+(expandtypeattribute (proc_hostname_33_0) true)
+(expandtypeattribute (proc_hung_task_33_0) true)
+(expandtypeattribute (proc_interrupts_33_0) true)
+(expandtypeattribute (proc_iomem_33_0) true)
+(expandtypeattribute (proc_kallsyms_33_0) true)
+(expandtypeattribute (proc_keys_33_0) true)
+(expandtypeattribute (proc_kmsg_33_0) true)
+(expandtypeattribute (proc_kpageflags_33_0) true)
+(expandtypeattribute (proc_loadavg_33_0) true)
+(expandtypeattribute (proc_locks_33_0) true)
+(expandtypeattribute (proc_lowmemorykiller_33_0) true)
+(expandtypeattribute (proc_max_map_count_33_0) true)
+(expandtypeattribute (proc_meminfo_33_0) true)
+(expandtypeattribute (proc_min_free_order_shift_33_0) true)
+(expandtypeattribute (proc_misc_33_0) true)
+(expandtypeattribute (proc_modules_33_0) true)
+(expandtypeattribute (proc_mounts_33_0) true)
+(expandtypeattribute (proc_net_33_0) true)
+(expandtypeattribute (proc_net_tcp_udp_33_0) true)
+(expandtypeattribute (proc_overcommit_memory_33_0) true)
+(expandtypeattribute (proc_page_cluster_33_0) true)
+(expandtypeattribute (proc_pagetypeinfo_33_0) true)
+(expandtypeattribute (proc_panic_33_0) true)
+(expandtypeattribute (proc_perf_33_0) true)
+(expandtypeattribute (proc_pid_max_33_0) true)
+(expandtypeattribute (proc_pipe_conf_33_0) true)
+(expandtypeattribute (proc_pressure_cpu_33_0) true)
+(expandtypeattribute (proc_pressure_io_33_0) true)
+(expandtypeattribute (proc_pressure_mem_33_0) true)
+(expandtypeattribute (proc_qtaguid_ctrl_33_0) true)
+(expandtypeattribute (proc_qtaguid_stat_33_0) true)
+(expandtypeattribute (proc_random_33_0) true)
+(expandtypeattribute (proc_sched_33_0) true)
+(expandtypeattribute (proc_security_33_0) true)
+(expandtypeattribute (proc_slabinfo_33_0) true)
+(expandtypeattribute (proc_stat_33_0) true)
+(expandtypeattribute (proc_swaps_33_0) true)
+(expandtypeattribute (proc_sysrq_33_0) true)
+(expandtypeattribute (proc_timer_33_0) true)
+(expandtypeattribute (proc_tty_drivers_33_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_33_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_33_0) true)
+(expandtypeattribute (proc_uid_cpupower_33_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_33_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_33_0) true)
+(expandtypeattribute (proc_uid_io_stats_33_0) true)
+(expandtypeattribute (proc_uid_procstat_set_33_0) true)
+(expandtypeattribute (proc_uid_time_in_state_33_0) true)
+(expandtypeattribute (proc_uptime_33_0) true)
+(expandtypeattribute (proc_vendor_sched_33_0) true)
+(expandtypeattribute (proc_version_33_0) true)
+(expandtypeattribute (proc_vmallocinfo_33_0) true)
+(expandtypeattribute (proc_vmstat_33_0) true)
+(expandtypeattribute (proc_watermark_boost_factor_33_0) true)
+(expandtypeattribute (proc_watermark_scale_factor_33_0) true)
+(expandtypeattribute (proc_zoneinfo_33_0) true)
+(expandtypeattribute (processinfo_service_33_0) true)
+(expandtypeattribute (procstats_service_33_0) true)
+(expandtypeattribute (profman_33_0) true)
+(expandtypeattribute (profman_dump_data_file_33_0) true)
+(expandtypeattribute (profman_exec_33_0) true)
+(expandtypeattribute (properties_device_33_0) true)
+(expandtypeattribute (properties_serial_33_0) true)
+(expandtypeattribute (property_contexts_file_33_0) true)
+(expandtypeattribute (property_data_file_33_0) true)
+(expandtypeattribute (property_info_33_0) true)
+(expandtypeattribute (property_service_version_prop_33_0) true)
+(expandtypeattribute (property_socket_33_0) true)
+(expandtypeattribute (provisioned_prop_33_0) true)
+(expandtypeattribute (pstorefs_33_0) true)
+(expandtypeattribute (ptmx_device_33_0) true)
+(expandtypeattribute (qemu_hw_prop_33_0) true)
+(expandtypeattribute (qemu_sf_lcd_density_prop_33_0) true)
+(expandtypeattribute (qtaguid_device_33_0) true)
+(expandtypeattribute (racoon_33_0) true)
+(expandtypeattribute (racoon_exec_33_0) true)
+(expandtypeattribute (racoon_socket_33_0) true)
+(expandtypeattribute (radio_33_0) true)
+(expandtypeattribute (radio_control_prop_33_0) true)
+(expandtypeattribute (radio_core_data_file_33_0) true)
+(expandtypeattribute (radio_data_file_33_0) true)
+(expandtypeattribute (radio_device_33_0) true)
+(expandtypeattribute (radio_prop_33_0) true)
+(expandtypeattribute (radio_service_33_0) true)
+(expandtypeattribute (ram_device_33_0) true)
+(expandtypeattribute (random_device_33_0) true)
+(expandtypeattribute (reboot_readiness_service_33_0) true)
+(expandtypeattribute (rebootescrow_hal_prop_33_0) true)
+(expandtypeattribute (recovery_33_0) true)
+(expandtypeattribute (recovery_block_device_33_0) true)
+(expandtypeattribute (recovery_config_prop_33_0) true)
+(expandtypeattribute (recovery_data_file_33_0) true)
+(expandtypeattribute (recovery_persist_33_0) true)
+(expandtypeattribute (recovery_persist_exec_33_0) true)
+(expandtypeattribute (recovery_refresh_33_0) true)
+(expandtypeattribute (recovery_refresh_exec_33_0) true)
+(expandtypeattribute (recovery_service_33_0) true)
+(expandtypeattribute (recovery_socket_33_0) true)
+(expandtypeattribute (registry_service_33_0) true)
+(expandtypeattribute (remotelyprovisionedkeypool_service_33_0) true)
+(expandtypeattribute (remoteprovisioning_service_33_0) true)
+(expandtypeattribute (resourcecache_data_file_33_0) true)
+(expandtypeattribute (resources_manager_service_33_0) true)
+(expandtypeattribute (restorecon_prop_33_0) true)
+(expandtypeattribute (restrictions_service_33_0) true)
+(expandtypeattribute (retaildemo_prop_33_0) true)
+(expandtypeattribute (rild_debug_socket_33_0) true)
+(expandtypeattribute (rild_socket_33_0) true)
+(expandtypeattribute (ringtone_file_33_0) true)
+(expandtypeattribute (role_service_33_0) true)
+(expandtypeattribute (rollback_service_33_0) true)
+(expandtypeattribute (root_block_device_33_0) true)
+(expandtypeattribute (rootdisk_sysdev_33_0) true)
+(expandtypeattribute (rootfs_33_0) true)
+(expandtypeattribute (rpmsg_device_33_0) true)
+(expandtypeattribute (rs_33_0) true)
+(expandtypeattribute (rs_exec_33_0) true)
+(expandtypeattribute (rss_hwm_reset_33_0) true)
+(expandtypeattribute (rtc_device_33_0) true)
+(expandtypeattribute (rttmanager_service_33_0) true)
+(expandtypeattribute (runas_33_0) true)
+(expandtypeattribute (runas_app_33_0) true)
+(expandtypeattribute (runas_exec_33_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_33_0) true)
+(expandtypeattribute (runtime_service_33_0) true)
+(expandtypeattribute (safemode_prop_33_0) true)
+(expandtypeattribute (same_process_hal_file_33_0) true)
+(expandtypeattribute (samplingprofiler_service_33_0) true)
+(expandtypeattribute (scheduling_policy_service_33_0) true)
+(expandtypeattribute (sdcard_block_device_33_0) true)
+(expandtypeattribute (sdcardd_33_0) true)
+(expandtypeattribute (sdcardd_exec_33_0) true)
+(expandtypeattribute (sdcardfs_33_0) true)
+(expandtypeattribute (sdk_sandbox_service_33_0) true)
+(expandtypeattribute (seapp_contexts_file_33_0) true)
+(expandtypeattribute (search_service_33_0) true)
+(expandtypeattribute (search_ui_service_33_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_33_0) true)
+(expandtypeattribute (secure_element_33_0) true)
+(expandtypeattribute (secure_element_device_33_0) true)
+(expandtypeattribute (secure_element_service_33_0) true)
+(expandtypeattribute (securityfs_33_0) true)
+(expandtypeattribute (selection_toolbar_service_33_0) true)
+(expandtypeattribute (selinuxfs_33_0) true)
+(expandtypeattribute (sendbug_config_prop_33_0) true)
+(expandtypeattribute (sensor_privacy_service_33_0) true)
+(expandtypeattribute (sensors_device_33_0) true)
+(expandtypeattribute (sensorservice_service_33_0) true)
+(expandtypeattribute (sepolicy_file_33_0) true)
+(expandtypeattribute (serial_device_33_0) true)
+(expandtypeattribute (serial_service_33_0) true)
+(expandtypeattribute (serialno_prop_33_0) true)
+(expandtypeattribute (server_configurable_flags_data_file_33_0) true)
+(expandtypeattribute (service_contexts_file_33_0) true)
+(expandtypeattribute (service_manager_service_33_0) true)
+(expandtypeattribute (service_manager_vndservice_33_0) true)
+(expandtypeattribute (servicediscovery_service_33_0) true)
+(expandtypeattribute (servicemanager_33_0) true)
+(expandtypeattribute (servicemanager_exec_33_0) true)
+(expandtypeattribute (settings_service_33_0) true)
+(expandtypeattribute (sgdisk_33_0) true)
+(expandtypeattribute (sgdisk_exec_33_0) true)
+(expandtypeattribute (shared_relro_33_0) true)
+(expandtypeattribute (shared_relro_file_33_0) true)
+(expandtypeattribute (shell_33_0) true)
+(expandtypeattribute (shell_data_file_33_0) true)
+(expandtypeattribute (shell_exec_33_0) true)
+(expandtypeattribute (shell_prop_33_0) true)
+(expandtypeattribute (shell_test_data_file_33_0) true)
+(expandtypeattribute (shm_33_0) true)
+(expandtypeattribute (shortcut_manager_icons_33_0) true)
+(expandtypeattribute (shortcut_service_33_0) true)
+(expandtypeattribute (simpleperf_33_0) true)
+(expandtypeattribute (simpleperf_app_runner_33_0) true)
+(expandtypeattribute (simpleperf_app_runner_exec_33_0) true)
+(expandtypeattribute (slice_service_33_0) true)
+(expandtypeattribute (slideshow_33_0) true)
+(expandtypeattribute (smart_idle_maint_enabled_prop_33_0) true)
+(expandtypeattribute (smartspace_service_33_0) true)
+(expandtypeattribute (snapshotctl_log_data_file_33_0) true)
+(expandtypeattribute (snapuserd_proxy_socket_33_0) true)
+(expandtypeattribute (snapuserd_socket_33_0) true)
+(expandtypeattribute (soc_prop_33_0) true)
+(expandtypeattribute (socket_device_33_0) true)
+(expandtypeattribute (socket_hook_prop_33_0) true)
+(expandtypeattribute (sockfs_33_0) true)
+(expandtypeattribute (sota_prop_33_0) true)
+(expandtypeattribute (soundtrigger_middleware_service_33_0) true)
+(expandtypeattribute (speech_recognition_service_33_0) true)
+(expandtypeattribute (sqlite_log_prop_33_0) true)
+(expandtypeattribute (staged_install_file_33_0) true)
+(expandtypeattribute (staging_data_file_33_0) true)
+(expandtypeattribute (stats_data_file_33_0) true)
+(expandtypeattribute (statsd_33_0) true)
+(expandtypeattribute (statsd_exec_33_0) true)
+(expandtypeattribute (statsdw_socket_33_0) true)
+(expandtypeattribute (statusbar_service_33_0) true)
+(expandtypeattribute (storage_config_prop_33_0) true)
+(expandtypeattribute (storage_file_33_0) true)
+(expandtypeattribute (storage_stub_file_33_0) true)
+(expandtypeattribute (storaged_service_33_0) true)
+(expandtypeattribute (storagemanager_config_prop_33_0) true)
+(expandtypeattribute (storagestats_service_33_0) true)
+(expandtypeattribute (su_33_0) true)
+(expandtypeattribute (su_exec_33_0) true)
+(expandtypeattribute (super_block_device_33_0) true)
+(expandtypeattribute (surfaceflinger_33_0) true)
+(expandtypeattribute (surfaceflinger_color_prop_33_0) true)
+(expandtypeattribute (surfaceflinger_display_prop_33_0) true)
+(expandtypeattribute (surfaceflinger_prop_33_0) true)
+(expandtypeattribute (surfaceflinger_service_33_0) true)
+(expandtypeattribute (surfaceflinger_tmpfs_33_0) true)
+(expandtypeattribute (suspend_prop_33_0) true)
+(expandtypeattribute (swap_block_device_33_0) true)
+(expandtypeattribute (sysfs_33_0) true)
+(expandtypeattribute (sysfs_android_usb_33_0) true)
+(expandtypeattribute (sysfs_batteryinfo_33_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_33_0) true)
+(expandtypeattribute (sysfs_devfreq_cur_33_0) true)
+(expandtypeattribute (sysfs_devfreq_dir_33_0) true)
+(expandtypeattribute (sysfs_devices_block_33_0) true)
+(expandtypeattribute (sysfs_devices_cs_etm_33_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_33_0) true)
+(expandtypeattribute (sysfs_dm_33_0) true)
+(expandtypeattribute (sysfs_dm_verity_33_0) true)
+(expandtypeattribute (sysfs_dma_heap_33_0) true)
+(expandtypeattribute (sysfs_dmabuf_stats_33_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_33_0) true)
+(expandtypeattribute (sysfs_extcon_33_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_33_0) true)
+(expandtypeattribute (sysfs_fs_f2fs_33_0) true)
+(expandtypeattribute (sysfs_fs_fuse_bpf_33_0) true)
+(expandtypeattribute (sysfs_fs_incfs_features_33_0) true)
+(expandtypeattribute (sysfs_fs_incfs_metrics_33_0) true)
+(expandtypeattribute (sysfs_gpu_33_0) true)
+(expandtypeattribute (sysfs_hwrandom_33_0) true)
+(expandtypeattribute (sysfs_ion_33_0) true)
+(expandtypeattribute (sysfs_ipv4_33_0) true)
+(expandtypeattribute (sysfs_kernel_notes_33_0) true)
+(expandtypeattribute (sysfs_leds_33_0) true)
+(expandtypeattribute (sysfs_loop_33_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_33_0) true)
+(expandtypeattribute (sysfs_lru_gen_enabled_33_0) true)
+(expandtypeattribute (sysfs_net_33_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_33_0) true)
+(expandtypeattribute (sysfs_power_33_0) true)
+(expandtypeattribute (sysfs_rtc_33_0) true)
+(expandtypeattribute (sysfs_suspend_stats_33_0) true)
+(expandtypeattribute (sysfs_switch_33_0) true)
+(expandtypeattribute (sysfs_thermal_33_0) true)
+(expandtypeattribute (sysfs_transparent_hugepage_33_0) true)
+(expandtypeattribute (sysfs_uhid_33_0) true)
+(expandtypeattribute (sysfs_uio_33_0) true)
+(expandtypeattribute (sysfs_usb_33_0) true)
+(expandtypeattribute (sysfs_usermodehelper_33_0) true)
+(expandtypeattribute (sysfs_vendor_sched_33_0) true)
+(expandtypeattribute (sysfs_vibrator_33_0) true)
+(expandtypeattribute (sysfs_wake_lock_33_0) true)
+(expandtypeattribute (sysfs_wakeup_33_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_33_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_33_0) true)
+(expandtypeattribute (sysfs_zram_33_0) true)
+(expandtypeattribute (sysfs_zram_uevent_33_0) true)
+(expandtypeattribute (system_app_33_0) true)
+(expandtypeattribute (system_app_data_file_33_0) true)
+(expandtypeattribute (system_app_service_33_0) true)
+(expandtypeattribute (system_asan_options_file_33_0) true)
+(expandtypeattribute (system_block_device_33_0) true)
+(expandtypeattribute (system_boot_reason_prop_33_0) true)
+(expandtypeattribute (system_bootstrap_lib_file_33_0) true)
+(expandtypeattribute (system_config_service_33_0) true)
+(expandtypeattribute (system_data_file_33_0) true)
+(expandtypeattribute (system_data_root_file_33_0) true)
+(expandtypeattribute (system_dlkm_file_33_0) true)
+(expandtypeattribute (system_event_log_tags_file_33_0) true)
+(expandtypeattribute (system_file_33_0) true)
+(expandtypeattribute (system_group_file_33_0) true)
+(expandtypeattribute (system_jvmti_agent_prop_33_0) true)
+(expandtypeattribute (system_lib_file_33_0) true)
+(expandtypeattribute (system_linker_config_file_33_0) true)
+(expandtypeattribute (system_linker_exec_33_0) true)
+(expandtypeattribute (system_lmk_prop_33_0) true)
+(expandtypeattribute (system_ndebug_socket_33_0) true)
+(expandtypeattribute (system_net_netd_hwservice_33_0) true)
+(expandtypeattribute (system_passwd_file_33_0) true)
+(expandtypeattribute (system_prop_33_0) true)
+(expandtypeattribute (system_seccomp_policy_file_33_0) true)
+(expandtypeattribute (system_security_cacerts_file_33_0) true)
+(expandtypeattribute (system_server_33_0) true)
+(expandtypeattribute (system_server_dumper_service_33_0) true)
+(expandtypeattribute (system_server_tmpfs_33_0) true)
+(expandtypeattribute (system_suspend_control_internal_service_33_0) true)
+(expandtypeattribute (system_suspend_control_service_33_0) true)
+(expandtypeattribute (system_suspend_hwservice_33_0) true)
+(expandtypeattribute (system_trace_prop_33_0) true)
+(expandtypeattribute (system_unsolzygote_socket_33_0) true)
+(expandtypeattribute (system_update_service_33_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_33_0) true)
+(expandtypeattribute (system_wpa_socket_33_0) true)
+(expandtypeattribute (system_zoneinfo_file_33_0) true)
+(expandtypeattribute (systemkeys_data_file_33_0) true)
+(expandtypeattribute (systemsound_config_prop_33_0) true)
+(expandtypeattribute (tare_service_33_0) true)
+(expandtypeattribute (task_profiles_api_file_33_0) true)
+(expandtypeattribute (task_profiles_file_33_0) true)
+(expandtypeattribute (task_service_33_0) true)
+(expandtypeattribute (tcpdump_exec_33_0) true)
+(expandtypeattribute (tee_33_0) true)
+(expandtypeattribute (tee_data_file_33_0) true)
+(expandtypeattribute (tee_device_33_0) true)
+(expandtypeattribute (telecom_service_33_0) true)
+(expandtypeattribute (telephony_config_prop_33_0) true)
+(expandtypeattribute (telephony_status_prop_33_0) true)
+(expandtypeattribute (test_boot_reason_prop_33_0) true)
+(expandtypeattribute (test_harness_prop_33_0) true)
+(expandtypeattribute (testharness_service_33_0) true)
+(expandtypeattribute (tethering_service_33_0) true)
+(expandtypeattribute (textclassification_service_33_0) true)
+(expandtypeattribute (textclassifier_data_file_33_0) true)
+(expandtypeattribute (textservices_service_33_0) true)
+(expandtypeattribute (texttospeech_service_33_0) true)
+(expandtypeattribute (theme_prop_33_0) true)
+(expandtypeattribute (thermal_service_33_0) true)
+(expandtypeattribute (time_prop_33_0) true)
+(expandtypeattribute (timedetector_service_33_0) true)
+(expandtypeattribute (timezone_service_33_0) true)
+(expandtypeattribute (timezonedetector_service_33_0) true)
+(expandtypeattribute (tmpfs_33_0) true)
+(expandtypeattribute (tombstone_config_prop_33_0) true)
+(expandtypeattribute (tombstone_data_file_33_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_33_0) true)
+(expandtypeattribute (tombstoned_33_0) true)
+(expandtypeattribute (tombstoned_crash_socket_33_0) true)
+(expandtypeattribute (tombstoned_exec_33_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_33_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_33_0) true)
+(expandtypeattribute (toolbox_33_0) true)
+(expandtypeattribute (toolbox_exec_33_0) true)
+(expandtypeattribute (trace_data_file_33_0) true)
+(expandtypeattribute (traced_33_0) true)
+(expandtypeattribute (traced_consumer_socket_33_0) true)
+(expandtypeattribute (traced_enabled_prop_33_0) true)
+(expandtypeattribute (traced_lazy_prop_33_0) true)
+(expandtypeattribute (traced_perf_33_0) true)
+(expandtypeattribute (traced_perf_socket_33_0) true)
+(expandtypeattribute (traced_probes_33_0) true)
+(expandtypeattribute (traced_producer_socket_33_0) true)
+(expandtypeattribute (traced_tmpfs_33_0) true)
+(expandtypeattribute (traceur_app_33_0) true)
+(expandtypeattribute (translation_service_33_0) true)
+(expandtypeattribute (trust_service_33_0) true)
+(expandtypeattribute (tty_device_33_0) true)
+(expandtypeattribute (tun_device_33_0) true)
+(expandtypeattribute (tv_iapp_service_33_0) true)
+(expandtypeattribute (tv_input_service_33_0) true)
+(expandtypeattribute (tv_tuner_resource_mgr_service_33_0) true)
+(expandtypeattribute (tzdatacheck_33_0) true)
+(expandtypeattribute (tzdatacheck_exec_33_0) true)
+(expandtypeattribute (ueventd_33_0) true)
+(expandtypeattribute (ueventd_tmpfs_33_0) true)
+(expandtypeattribute (uhid_device_33_0) true)
+(expandtypeattribute (uimode_service_33_0) true)
+(expandtypeattribute (uio_device_33_0) true)
+(expandtypeattribute (uncrypt_33_0) true)
+(expandtypeattribute (uncrypt_exec_33_0) true)
+(expandtypeattribute (uncrypt_socket_33_0) true)
+(expandtypeattribute (unencrypted_data_file_33_0) true)
+(expandtypeattribute (unlabeled_33_0) true)
+(expandtypeattribute (untrusted_app_25_33_0) true)
+(expandtypeattribute (untrusted_app_27_33_0) true)
+(expandtypeattribute (untrusted_app_29_33_0) true)
+(expandtypeattribute (untrusted_app_30_33_0) true)
+(expandtypeattribute (untrusted_app_33_0) true)
+(expandtypeattribute (update_engine_33_0) true)
+(expandtypeattribute (update_engine_data_file_33_0) true)
+(expandtypeattribute (update_engine_exec_33_0) true)
+(expandtypeattribute (update_engine_log_data_file_33_0) true)
+(expandtypeattribute (update_engine_service_33_0) true)
+(expandtypeattribute (update_engine_stable_service_33_0) true)
+(expandtypeattribute (update_verifier_33_0) true)
+(expandtypeattribute (update_verifier_exec_33_0) true)
+(expandtypeattribute (updatelock_service_33_0) true)
+(expandtypeattribute (uri_grants_service_33_0) true)
+(expandtypeattribute (usagestats_service_33_0) true)
+(expandtypeattribute (usb_config_prop_33_0) true)
+(expandtypeattribute (usb_control_prop_33_0) true)
+(expandtypeattribute (usb_device_33_0) true)
+(expandtypeattribute (usb_prop_33_0) true)
+(expandtypeattribute (usb_serial_device_33_0) true)
+(expandtypeattribute (usb_service_33_0) true)
+(expandtypeattribute (usbaccessory_device_33_0) true)
+(expandtypeattribute (usbd_33_0) true)
+(expandtypeattribute (usbd_exec_33_0) true)
+(expandtypeattribute (usbfs_33_0) true)
+(expandtypeattribute (use_memfd_prop_33_0) true)
+(expandtypeattribute (user_profile_data_file_33_0) true)
+(expandtypeattribute (user_profile_root_file_33_0) true)
+(expandtypeattribute (user_service_33_0) true)
+(expandtypeattribute (userdata_block_device_33_0) true)
+(expandtypeattribute (userdata_sysdev_33_0) true)
+(expandtypeattribute (usermodehelper_33_0) true)
+(expandtypeattribute (userspace_reboot_config_prop_33_0) true)
+(expandtypeattribute (userspace_reboot_exported_prop_33_0) true)
+(expandtypeattribute (userspace_reboot_metadata_file_33_0) true)
+(expandtypeattribute (uwb_service_33_0) true)
+(expandtypeattribute (vcn_management_service_33_0) true)
+(expandtypeattribute (vd_device_33_0) true)
+(expandtypeattribute (vdc_33_0) true)
+(expandtypeattribute (vdc_exec_33_0) true)
+(expandtypeattribute (vehicle_hal_prop_33_0) true)
+(expandtypeattribute (vendor_apex_file_33_0) true)
+(expandtypeattribute (vendor_app_file_33_0) true)
+(expandtypeattribute (vendor_cgroup_desc_file_33_0) true)
+(expandtypeattribute (vendor_configs_file_33_0) true)
+(expandtypeattribute (vendor_data_file_33_0) true)
+(expandtypeattribute (vendor_default_prop_33_0) true)
+(expandtypeattribute (vendor_file_33_0) true)
+(expandtypeattribute (vendor_framework_file_33_0) true)
+(expandtypeattribute (vendor_hal_file_33_0) true)
+(expandtypeattribute (vendor_idc_file_33_0) true)
+(expandtypeattribute (vendor_init_33_0) true)
+(expandtypeattribute (vendor_kernel_modules_33_0) true)
+(expandtypeattribute (vendor_keychars_file_33_0) true)
+(expandtypeattribute (vendor_keylayout_file_33_0) true)
+(expandtypeattribute (vendor_misc_writer_33_0) true)
+(expandtypeattribute (vendor_misc_writer_exec_33_0) true)
+(expandtypeattribute (vendor_modprobe_33_0) true)
+(expandtypeattribute (vendor_overlay_file_33_0) true)
+(expandtypeattribute (vendor_public_framework_file_33_0) true)
+(expandtypeattribute (vendor_public_lib_file_33_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_33_0) true)
+(expandtypeattribute (vendor_service_contexts_file_33_0) true)
+(expandtypeattribute (vendor_shell_33_0) true)
+(expandtypeattribute (vendor_shell_exec_33_0) true)
+(expandtypeattribute (vendor_socket_hook_prop_33_0) true)
+(expandtypeattribute (vendor_task_profiles_file_33_0) true)
+(expandtypeattribute (vendor_toolbox_exec_33_0) true)
+(expandtypeattribute (vendor_uuid_mapping_config_file_33_0) true)
+(expandtypeattribute (vendor_vm_data_file_33_0) true)
+(expandtypeattribute (vendor_vm_file_33_0) true)
+(expandtypeattribute (vfat_33_0) true)
+(expandtypeattribute (vibrator_manager_service_33_0) true)
+(expandtypeattribute (vibrator_service_33_0) true)
+(expandtypeattribute (video_device_33_0) true)
+(expandtypeattribute (virtual_ab_prop_33_0) true)
+(expandtypeattribute (virtual_device_service_33_0) true)
+(expandtypeattribute (virtual_touchpad_33_0) true)
+(expandtypeattribute (virtual_touchpad_exec_33_0) true)
+(expandtypeattribute (virtual_touchpad_service_33_0) true)
+(expandtypeattribute (virtualization_service_33_0) true)
+(expandtypeattribute (vndbinder_device_33_0) true)
+(expandtypeattribute (vndk_prop_33_0) true)
+(expandtypeattribute (vndk_sp_file_33_0) true)
+(expandtypeattribute (vndservice_contexts_file_33_0) true)
+(expandtypeattribute (vndservicemanager_33_0) true)
+(expandtypeattribute (voiceinteraction_service_33_0) true)
+(expandtypeattribute (vold_33_0) true)
+(expandtypeattribute (vold_config_prop_33_0) true)
+(expandtypeattribute (vold_data_file_33_0) true)
+(expandtypeattribute (vold_device_33_0) true)
+(expandtypeattribute (vold_exec_33_0) true)
+(expandtypeattribute (vold_metadata_file_33_0) true)
+(expandtypeattribute (vold_post_fs_data_prop_33_0) true)
+(expandtypeattribute (vold_prepare_subdirs_33_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_33_0) true)
+(expandtypeattribute (vold_prop_33_0) true)
+(expandtypeattribute (vold_service_33_0) true)
+(expandtypeattribute (vold_status_prop_33_0) true)
+(expandtypeattribute (vpn_data_file_33_0) true)
+(expandtypeattribute (vpn_management_service_33_0) true)
+(expandtypeattribute (vr_hwc_service_33_0) true)
+(expandtypeattribute (vr_manager_service_33_0) true)
+(expandtypeattribute (vrflinger_vsync_service_33_0) true)
+(expandtypeattribute (vts_config_prop_33_0) true)
+(expandtypeattribute (vts_status_prop_33_0) true)
+(expandtypeattribute (wallpaper_effects_generation_service_33_0) true)
+(expandtypeattribute (wallpaper_file_33_0) true)
+(expandtypeattribute (wallpaper_service_33_0) true)
+(expandtypeattribute (watchdog_device_33_0) true)
+(expandtypeattribute (watchdog_metadata_file_33_0) true)
+(expandtypeattribute (watchdogd_33_0) true)
+(expandtypeattribute (watchdogd_exec_33_0) true)
+(expandtypeattribute (webview_zygote_33_0) true)
+(expandtypeattribute (webview_zygote_exec_33_0) true)
+(expandtypeattribute (webview_zygote_tmpfs_33_0) true)
+(expandtypeattribute (webviewupdate_service_33_0) true)
+(expandtypeattribute (wifi_config_prop_33_0) true)
+(expandtypeattribute (wifi_data_file_33_0) true)
+(expandtypeattribute (wifi_hal_prop_33_0) true)
+(expandtypeattribute (wifi_key_33_0) true)
+(expandtypeattribute (wifi_log_prop_33_0) true)
+(expandtypeattribute (wifi_prop_33_0) true)
+(expandtypeattribute (wifi_service_33_0) true)
+(expandtypeattribute (wifiaware_service_33_0) true)
+(expandtypeattribute (wificond_33_0) true)
+(expandtypeattribute (wificond_exec_33_0) true)
+(expandtypeattribute (wifinl80211_service_33_0) true)
+(expandtypeattribute (wifip2p_service_33_0) true)
+(expandtypeattribute (wifiscanner_service_33_0) true)
+(expandtypeattribute (window_service_33_0) true)
+(expandtypeattribute (wpa_socket_33_0) true)
+(expandtypeattribute (wpantund_33_0) true)
+(expandtypeattribute (wpantund_exec_33_0) true)
+(expandtypeattribute (wpantund_service_33_0) true)
+(expandtypeattribute (zero_device_33_0) true)
+(expandtypeattribute (zoneinfo_data_file_33_0) true)
+(expandtypeattribute (zram_config_prop_33_0) true)
+(expandtypeattribute (zram_control_prop_33_0) true)
+(expandtypeattribute (zygote_33_0) true)
+(expandtypeattribute (zygote_config_prop_33_0) true)
+(expandtypeattribute (zygote_exec_33_0) true)
+(expandtypeattribute (zygote_socket_33_0) true)
+(expandtypeattribute (zygote_tmpfs_33_0) true)
+(typeattributeset DockObserver_service_33_0 (DockObserver_service))
+(typeattributeset IProxyService_service_33_0 (IProxyService_service))
+(typeattributeset aac_drc_prop_33_0 (aac_drc_prop))
+(typeattributeset aaudio_config_prop_33_0 (aaudio_config_prop))
+(typeattributeset ab_update_gki_prop_33_0 (ab_update_gki_prop))
+(typeattributeset accessibility_service_33_0 (accessibility_service))
+(typeattributeset account_service_33_0 (account_service))
+(typeattributeset activity_service_33_0 (activity_service))
+(typeattributeset activity_task_service_33_0 (activity_task_service))
+(typeattributeset adb_data_file_33_0 (adb_data_file))
+(typeattributeset adb_keys_file_33_0 (adb_keys_file))
+(typeattributeset adb_service_33_0 (adb_service))
+(typeattributeset adbd_33_0 (adbd))
+(typeattributeset adbd_config_prop_33_0 (adbd_config_prop))
+(typeattributeset adbd_exec_33_0 (adbd_exec))
+(typeattributeset adbd_socket_33_0 (adbd_socket))
+(typeattributeset adservices_manager_service_33_0 (adservices_manager_service))
+(typeattributeset aidl_lazy_test_server_33_0 (aidl_lazy_test_server))
+(typeattributeset aidl_lazy_test_server_exec_33_0 (aidl_lazy_test_server_exec))
+(typeattributeset aidl_lazy_test_service_33_0 (aidl_lazy_test_service))
+(typeattributeset alarm_service_33_0 (alarm_service))
+(typeattributeset anr_data_file_33_0 (anr_data_file))
+(typeattributeset apc_service_33_0 (apc_service))
+(typeattributeset apex_data_file_33_0 (apex_data_file))
+(typeattributeset apex_info_file_33_0 (apex_info_file))
+(typeattributeset apex_metadata_file_33_0 (apex_metadata_file))
+(typeattributeset apex_mnt_dir_33_0 (apex_mnt_dir))
+(typeattributeset apex_module_data_file_33_0 (apex_module_data_file))
+(typeattributeset apex_ota_reserved_file_33_0 (apex_ota_reserved_file))
+(typeattributeset apex_rollback_data_file_33_0 (apex_rollback_data_file))
+(typeattributeset apex_service_33_0 (apex_service))
+(typeattributeset apex_system_server_data_file_33_0 (apex_system_server_data_file))
+(typeattributeset apexd_33_0 (apexd))
+(typeattributeset apexd_config_prop_33_0 (apexd_config_prop))
+(typeattributeset apexd_exec_33_0 (apexd_exec))
+(typeattributeset apexd_prop_33_0 (apexd_prop))
+(typeattributeset apexd_select_prop_33_0 (apexd_select_prop))
+(typeattributeset apk_data_file_33_0 (apk_data_file))
+(typeattributeset apk_private_data_file_33_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_33_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_33_0 (apk_tmp_file))
+(typeattributeset apk_verity_prop_33_0 (apk_verity_prop))
+(typeattributeset app_binding_service_33_0 (app_binding_service))
+(typeattributeset app_data_file_33_0 (app_data_file))
+(typeattributeset app_fuse_file_33_0 (app_fuse_file))
+(typeattributeset app_fusefs_33_0 (app_fusefs))
+(typeattributeset app_hibernation_service_33_0 (app_hibernation_service))
+(typeattributeset app_integrity_service_33_0 (app_integrity_service))
+(typeattributeset app_prediction_service_33_0 (app_prediction_service))
+(typeattributeset app_search_service_33_0 (app_search_service))
+(typeattributeset app_zygote_33_0 (app_zygote))
+(typeattributeset app_zygote_tmpfs_33_0 (app_zygote_tmpfs))
+(typeattributeset appcompat_data_file_33_0 (appcompat_data_file))
+(typeattributeset appdomain_tmpfs_33_0 (appdomain_tmpfs))
+(typeattributeset appops_service_33_0 (appops_service))
+(typeattributeset appwidget_service_33_0 (appwidget_service))
+(typeattributeset arm64_memtag_prop_33_0 (arm64_memtag_prop))
+(typeattributeset art_apex_dir_33_0 (art_apex_dir))
+(typeattributeset artd_service_33_0 (artd_service))
+(typeattributeset asec_apk_file_33_0 (asec_apk_file))
+(typeattributeset asec_image_file_33_0 (asec_image_file))
+(typeattributeset asec_public_file_33_0 (asec_public_file))
+(typeattributeset ashmem_device_33_0 (ashmem_device))
+(typeattributeset ashmem_libcutils_device_33_0 (ashmem_libcutils_device))
+(typeattributeset assetatlas_service_33_0 (assetatlas_service))
+(typeattributeset atrace_33_0 (atrace))
+(typeattributeset attestation_verification_service_33_0 (attestation_verification_service))
+(typeattributeset audio_config_prop_33_0 (audio_config_prop))
+(typeattributeset audio_data_file_33_0 (audio_data_file))
+(typeattributeset audio_device_33_0 (audio_device))
+(typeattributeset audio_prop_33_0 (audio_prop))
+(typeattributeset audio_service_33_0 (audio_service))
+(typeattributeset audiohal_data_file_33_0 (audiohal_data_file))
+(typeattributeset audioserver_33_0 (audioserver))
+(typeattributeset audioserver_data_file_33_0 (audioserver_data_file))
+(typeattributeset audioserver_service_33_0 (audioserver_service))
+(typeattributeset audioserver_tmpfs_33_0 (audioserver_tmpfs))
+(typeattributeset auth_service_33_0 (auth_service))
+(typeattributeset authorization_service_33_0 (authorization_service))
+(typeattributeset autofill_service_33_0 (autofill_service))
+(typeattributeset backup_data_file_33_0 (backup_data_file))
+(typeattributeset backup_service_33_0 (backup_service))
+(typeattributeset battery_service_33_0 (battery_service))
+(typeattributeset batteryproperties_service_33_0 (batteryproperties_service))
+(typeattributeset batterystats_service_33_0 (batterystats_service))
+(typeattributeset binder_cache_bluetooth_server_prop_33_0 (binder_cache_bluetooth_server_prop))
+(typeattributeset binder_cache_system_server_prop_33_0 (binder_cache_system_server_prop))
+(typeattributeset binder_cache_telephony_server_prop_33_0 (binder_cache_telephony_server_prop))
+(typeattributeset binder_calls_stats_service_33_0 (binder_calls_stats_service))
+(typeattributeset binder_device_33_0 (binder_device))
+(typeattributeset binderfs_33_0 (binderfs))
+(typeattributeset binderfs_features_33_0 (binderfs_features))
+(typeattributeset binderfs_logs_33_0 (binderfs_logs))
+(typeattributeset binderfs_logs_proc_33_0 (binderfs_logs_proc))
+(typeattributeset binfmt_miscfs_33_0 (binfmt_miscfs))
+(typeattributeset biometric_service_33_0 (biometric_service))
+(typeattributeset blkid_33_0 (blkid))
+(typeattributeset blkid_untrusted_33_0 (blkid_untrusted))
+(typeattributeset blob_store_service_33_0 (blob_store_service))
+(typeattributeset block_device_33_0 (block_device))
+(typeattributeset bluetooth_33_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_33_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_audio_hal_prop_33_0 (bluetooth_audio_hal_prop))
+(typeattributeset bluetooth_config_prop_33_0 (bluetooth_config_prop))
+(typeattributeset bluetooth_data_file_33_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_33_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_33_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_33_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_33_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_33_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_33_0 (bluetooth_socket))
+(typeattributeset boot_block_device_33_0 (boot_block_device))
+(typeattributeset boot_status_prop_33_0 (boot_status_prop))
+(typeattributeset bootanim_33_0 (bootanim))
+(typeattributeset bootanim_config_prop_33_0 (bootanim_config_prop))
+(typeattributeset bootanim_exec_33_0 (bootanim_exec))
+(typeattributeset bootanim_system_prop_33_0 (bootanim_system_prop))
+(typeattributeset bootchart_data_file_33_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_33_0 (bootloader_boot_reason_prop))
+(typeattributeset bootloader_prop_33_0 (bootloader_prop))
+(typeattributeset bootstat_33_0 (bootstat))
+(typeattributeset bootstat_data_file_33_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_33_0 (bootstat_exec))
+(typeattributeset boottime_prop_33_0 (boottime_prop))
+(typeattributeset boottime_public_prop_33_0 (boottime_public_prop))
+(typeattributeset boottrace_data_file_33_0 (boottrace_data_file))
+(typeattributeset bpf_progs_loaded_prop_33_0 (bpf_progs_loaded_prop))
+(typeattributeset bpfloader_33_0 (bpfloader))
+(typeattributeset bq_config_prop_33_0 (bq_config_prop))
+(typeattributeset broadcastradio_service_33_0 (broadcastradio_service))
+(typeattributeset bufferhubd_33_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_33_0 (bufferhubd_exec))
+(typeattributeset bugreport_service_33_0 (bugreport_service))
+(typeattributeset build_bootimage_prop_33_0 (build_bootimage_prop))
+(typeattributeset build_config_prop_33_0 (build_config_prop))
+(typeattributeset build_odm_prop_33_0 (build_odm_prop))
+(typeattributeset build_prop_33_0 (build_prop))
+(typeattributeset build_prop_33_0 (userdebug_or_eng_prop))
+(typeattributeset build_vendor_prop_33_0 (build_vendor_prop))
+(typeattributeset cache_backup_file_33_0 (cache_backup_file))
+(typeattributeset cache_block_device_33_0 (cache_block_device))
+(typeattributeset cache_file_33_0 (cache_file))
+(typeattributeset cache_private_backup_file_33_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_33_0 (cache_recovery_file))
+(typeattributeset cacheinfo_service_33_0 (cacheinfo_service))
+(typeattributeset camera2_extensions_prop_33_0 (camera2_extensions_prop))
+(typeattributeset camera_calibration_prop_33_0 (camera_calibration_prop))
+(typeattributeset camera_config_prop_33_0 (camera_config_prop))
+(typeattributeset camera_data_file_33_0 (camera_data_file))
+(typeattributeset camera_device_33_0 (camera_device))
+(typeattributeset cameraproxy_service_33_0 (cameraproxy_service))
+(typeattributeset cameraserver_33_0 (cameraserver))
+(typeattributeset cameraserver_exec_33_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_33_0 (cameraserver_service))
+(typeattributeset cameraserver_tmpfs_33_0 (cameraserver_tmpfs))
+(typeattributeset camerax_extensions_prop_33_0 (camerax_extensions_prop))
+(typeattributeset cgroup_33_0 (cgroup))
+(typeattributeset cgroup_desc_api_file_33_0 (cgroup_desc_api_file))
+(typeattributeset cgroup_desc_file_33_0 (cgroup_desc_file))
+(typeattributeset cgroup_rc_file_33_0 (cgroup_rc_file))
+(typeattributeset cgroup_v2_33_0 (cgroup_v2))
+(typeattributeset charger_33_0 (charger))
+(typeattributeset charger_config_prop_33_0 (charger_config_prop))
+(typeattributeset charger_exec_33_0 (charger_exec))
+(typeattributeset charger_prop_33_0 (charger_prop))
+(typeattributeset charger_status_prop_33_0 (charger_status_prop))
+(typeattributeset charger_vendor_33_0 (charger_vendor))
+(typeattributeset clipboard_service_33_0 (clipboard_service))
+(typeattributeset cloudsearch_service_33_0 (cloudsearch_service))
+(typeattributeset codec2_config_prop_33_0 (codec2_config_prop))
+(typeattributeset cold_boot_done_prop_33_0 (cold_boot_done_prop))
+(typeattributeset color_display_service_33_0 (color_display_service))
+(typeattributeset companion_device_service_33_0 (companion_device_service))
+(typeattributeset config_prop_33_0 (config_prop))
+(typeattributeset configfs_33_0 (configfs))
+(typeattributeset connectivity_native_service_33_0 (connectivity_native_service))
+(typeattributeset connectivity_service_33_0 (connectivity_service))
+(typeattributeset connmetrics_service_33_0 (connmetrics_service))
+(typeattributeset console_device_33_0 (console_device))
+(typeattributeset consumer_ir_service_33_0 (consumer_ir_service))
+(typeattributeset content_capture_service_33_0 (content_capture_service))
+(typeattributeset content_service_33_0 (content_service))
+(typeattributeset content_suggestions_service_33_0 (content_suggestions_service))
+(typeattributeset contexthub_service_33_0 (contexthub_service))
+(typeattributeset coredump_file_33_0 (coredump_file))
+(typeattributeset country_detector_service_33_0 (country_detector_service))
+(typeattributeset coverage_service_33_0 (coverage_service))
+(typeattributeset cppreopt_prop_33_0 (cppreopt_prop))
+(typeattributeset cpu_variant_prop_33_0 (cpu_variant_prop))
+(typeattributeset cpuinfo_service_33_0 (cpuinfo_service))
+(typeattributeset crash_dump_33_0 (crash_dump))
+(typeattributeset crash_dump_exec_33_0 (crash_dump_exec))
+(typeattributeset credstore_33_0 (credstore))
+(typeattributeset credstore_data_file_33_0 (credstore_data_file))
+(typeattributeset credstore_exec_33_0 (credstore_exec))
+(typeattributeset credstore_service_33_0 (credstore_service))
+(typeattributeset crossprofileapps_service_33_0 (crossprofileapps_service))
+(typeattributeset ctl_adbd_prop_33_0 (ctl_adbd_prop))
+(typeattributeset ctl_apexd_prop_33_0 (ctl_apexd_prop))
+(typeattributeset ctl_bootanim_prop_33_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_33_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_33_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_33_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_33_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_33_0 (ctl_fuse_prop))
+(typeattributeset ctl_gsid_prop_33_0 (ctl_gsid_prop))
+(typeattributeset ctl_interface_restart_prop_33_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_33_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_33_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_33_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_33_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_33_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_33_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_33_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_33_0 (ctl_stop_prop))
+(typeattributeset dalvik_config_prop_33_0 (dalvik_config_prop))
+(typeattributeset dalvik_prop_33_0 (dalvik_prop))
+(typeattributeset dalvik_runtime_prop_33_0 (dalvik_runtime_prop))
+(typeattributeset dalvikcache_data_file_33_0 (dalvikcache_data_file))
+(typeattributeset dataloader_manager_service_33_0 (dataloader_manager_service))
+(typeattributeset dbinfo_service_33_0 (dbinfo_service))
+(typeattributeset dck_prop_33_0 (dck_prop))
+(typeattributeset debug_prop_33_0 (debug_prop))
+(typeattributeset debugfs_33_0 (debugfs))
+(typeattributeset debugfs_bootreceiver_tracing_33_0 (debugfs_bootreceiver_tracing))
+(typeattributeset debugfs_kprobes_33_0 (debugfs_kprobes))
+(typeattributeset debugfs_mm_events_tracing_33_0 (debugfs_mm_events_tracing))
+(typeattributeset debugfs_mmc_33_0 (debugfs_mmc))
+(typeattributeset debugfs_restriction_prop_33_0 (debugfs_restriction_prop))
+(typeattributeset debugfs_trace_marker_33_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_33_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_33_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_33_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_tracing_printk_formats_33_0 (debugfs_tracing_printk_formats))
+(typeattributeset debugfs_wakeup_sources_33_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_33_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_33_0 (debuggerd_prop))
+(typeattributeset default_android_hwservice_33_0 (default_android_hwservice))
+(typeattributeset default_android_service_33_0 (default_android_service))
+(typeattributeset default_android_vndservice_33_0 (default_android_vndservice))
+(typeattributeset default_prop_33_0 (default_prop))
+(typeattributeset dev_cpu_variant_33_0 (dev_cpu_variant))
+(typeattributeset device_33_0 (device))
+(typeattributeset device_config_activity_manager_native_boot_prop_33_0 (device_config_activity_manager_native_boot_prop))
+(typeattributeset device_config_boot_count_prop_33_0 (device_config_boot_count_prop))
+(typeattributeset device_config_input_native_boot_prop_33_0 (device_config_input_native_boot_prop))
+(typeattributeset device_config_media_native_prop_33_0 (device_config_media_native_prop))
+(typeattributeset device_config_netd_native_prop_33_0 (device_config_netd_native_prop))
+(typeattributeset device_config_nnapi_native_prop_33_0 (device_config_nnapi_native_prop))
+(typeattributeset device_config_reset_performed_prop_33_0 (device_config_reset_performed_prop))
+(typeattributeset device_config_runtime_native_boot_prop_33_0 (device_config_runtime_native_boot_prop))
+(typeattributeset device_config_runtime_native_prop_33_0 (device_config_runtime_native_prop))
+(typeattributeset device_config_service_33_0 (device_config_service))
+(typeattributeset device_config_surface_flinger_native_boot_prop_33_0 (device_config_surface_flinger_native_boot_prop))
+(typeattributeset device_identifiers_service_33_0 (device_identifiers_service))
+(typeattributeset device_logging_prop_33_0 (device_logging_prop))
+(typeattributeset device_policy_service_33_0 (device_policy_service))
+(typeattributeset device_state_service_33_0 (device_state_service))
+(typeattributeset deviceidle_service_33_0 (deviceidle_service))
+(typeattributeset devicestoragemonitor_service_33_0 (devicestoragemonitor_service))
+(typeattributeset devpts_33_0 (devpts))
+(typeattributeset dhcp_33_0 (dhcp))
+(typeattributeset dhcp_data_file_33_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_33_0 (dhcp_exec))
+(typeattributeset dhcp_prop_33_0 (dhcp_prop))
+(typeattributeset dice_maintenance_service_33_0 (dice_maintenance_service))
+(typeattributeset dice_node_service_33_0 (dice_node_service))
+(typeattributeset diced_33_0 (diced))
+(typeattributeset diced_exec_33_0 (diced_exec))
+(typeattributeset diskstats_service_33_0 (diskstats_service))
+(typeattributeset display_service_33_0 (display_service))
+(typeattributeset dm_device_33_0 (dm_device))
+(typeattributeset dm_user_device_33_0 (dm_user_device))
+(typeattributeset dmabuf_heap_device_33_0 (dmabuf_heap_device))
+(typeattributeset dmabuf_system_heap_device_33_0 (dmabuf_system_heap_device))
+(typeattributeset dmabuf_system_secure_heap_device_33_0 (dmabuf_system_secure_heap_device))
+(typeattributeset dnsmasq_33_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_33_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_33_0 (dnsproxyd_socket))
+(typeattributeset dnsresolver_service_33_0 (dnsresolver_service))
+(typeattributeset domain_verification_service_33_0 (domain_verification_service))
+(typeattributeset dreams_service_33_0 (dreams_service))
+(typeattributeset drm_data_file_33_0 (drm_data_file))
+(typeattributeset drm_service_config_prop_33_0 (drm_service_config_prop))
+(typeattributeset drmserver_33_0 (drmserver))
+(typeattributeset drmserver_exec_33_0 (drmserver_exec))
+(typeattributeset drmserver_service_33_0 (drmserver_service))
+(typeattributeset drmserver_socket_33_0 (drmserver_socket))
+(typeattributeset dropbox_data_file_33_0 (dropbox_data_file))
+(typeattributeset dropbox_service_33_0 (dropbox_service))
+(typeattributeset dumpstate_33_0 (dumpstate))
+(typeattributeset dumpstate_exec_33_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_33_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_33_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_33_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_33_0 (dumpstate_socket))
+(typeattributeset dynamic_system_prop_33_0 (dynamic_system_prop))
+(typeattributeset e2fs_33_0 (e2fs))
+(typeattributeset e2fs_exec_33_0 (e2fs_exec))
+(typeattributeset efs_file_33_0 (efs_file))
+(typeattributeset emergency_affordance_service_33_0 (emergency_affordance_service))
+(typeattributeset ephemeral_app_33_0 (ephemeral_app))
+(typeattributeset ethernet_service_33_0 (ethernet_service))
+(typeattributeset evsmanagerd_33_0 (evsmanagerd))
+(typeattributeset evsmanagerd_service_33_0 (evsmanagerd_service))
+(typeattributeset exfat_33_0 (exfat))
+(typeattributeset exported3_system_prop_33_0 (exported3_system_prop))
+(typeattributeset exported_bluetooth_prop_33_0 (exported_bluetooth_prop))
+(typeattributeset exported_camera_prop_33_0 (exported_camera_prop))
+(typeattributeset exported_config_prop_33_0 (exported_config_prop))
+(typeattributeset exported_default_prop_33_0 (exported_default_prop))
+(typeattributeset exported_dumpstate_prop_33_0 (exported_dumpstate_prop))
+(typeattributeset exported_overlay_prop_33_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_33_0 (exported_pm_prop))
+(typeattributeset exported_secure_prop_33_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_33_0 (exported_system_prop))
+(typeattributeset external_vibrator_service_33_0 (external_vibrator_service))
+(typeattributeset extra_free_kbytes_33_0 (extra_free_kbytes))
+(typeattributeset extra_free_kbytes_exec_33_0 (extra_free_kbytes_exec))
+(typeattributeset face_service_33_0 (face_service))
+(typeattributeset face_vendor_data_file_33_0 (face_vendor_data_file))
+(typeattributeset fastbootd_33_0 (fastbootd))
+(typeattributeset ffs_config_prop_33_0 (ffs_config_prop))
+(typeattributeset ffs_control_prop_33_0 (ffs_control_prop))
+(typeattributeset file_contexts_file_33_0 (file_contexts_file))
+(typeattributeset file_integrity_service_33_0 (file_integrity_service))
+(typeattributeset fingerprint_prop_33_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_33_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_33_0 (fingerprint_vendor_data_file))
+(typeattributeset fingerprintd_33_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_33_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_33_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_33_0 (fingerprintd_service))
+(typeattributeset firstboot_prop_33_0 (firstboot_prop))
+(typeattributeset flags_health_check_33_0 (flags_health_check))
+(typeattributeset flags_health_check_exec_33_0 (flags_health_check_exec))
+(typeattributeset font_service_33_0 (font_service))
+(typeattributeset framework_watchdog_config_prop_33_0 (framework_watchdog_config_prop))
+(typeattributeset frp_block_device_33_0 (frp_block_device))
+(typeattributeset fs_bpf_33_0 (fs_bpf))
+(typeattributeset fs_bpf_tethering_33_0 (fs_bpf_tethering))
+(typeattributeset fs_bpf_vendor_33_0 (fs_bpf_vendor))
+(typeattributeset fsck_33_0 (fsck))
+(typeattributeset fsck_exec_33_0 (fsck_exec))
+(typeattributeset fsck_untrusted_33_0 (fsck_untrusted))
+(typeattributeset fscklogs_33_0 (fscklogs))
+(typeattributeset functionfs_33_0 (functionfs))
+(typeattributeset fuse_33_0 (fuse))
+(typeattributeset fuse_device_33_0 (fuse_device))
+(typeattributeset fusectlfs_33_0 (fusectlfs))
+(typeattributeset fwk_automotive_display_hwservice_33_0 (fwk_automotive_display_hwservice))
+(typeattributeset fwk_automotive_display_service_33_0 (fwk_automotive_display_service))
+(typeattributeset fwk_bufferhub_hwservice_33_0 (fwk_bufferhub_hwservice))
+(typeattributeset fwk_camera_hwservice_33_0 (fwk_camera_hwservice))
+(typeattributeset fwk_display_hwservice_33_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_33_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_33_0 (fwk_sensor_hwservice))
+(typeattributeset fwk_stats_hwservice_33_0 (fwk_stats_hwservice))
+(typeattributeset fwk_stats_service_33_0 (fwk_stats_service))
+(typeattributeset fwmarkd_socket_33_0 (fwmarkd_socket))
+(typeattributeset game_mode_intervention_list_file_33_0 (game_mode_intervention_list_file))
+(typeattributeset game_service_33_0 (game_service))
+(typeattributeset gatekeeper_data_file_33_0 (gatekeeper_data_file))
+(typeattributeset gatekeeper_service_33_0 (gatekeeper_service))
+(typeattributeset gatekeeperd_33_0 (gatekeeperd))
+(typeattributeset gatekeeperd_exec_33_0 (gatekeeperd_exec))
+(typeattributeset gesture_prop_33_0 (gesture_prop))
+(typeattributeset gfxinfo_service_33_0 (gfxinfo_service))
+(typeattributeset gmscore_app_33_0 (gmscore_app))
+(typeattributeset gnss_device_33_0 (gnss_device))
+(typeattributeset gnss_time_update_service_33_0 (gnss_time_update_service))
+(typeattributeset gps_control_33_0 (gps_control))
+(typeattributeset gpu_device_33_0 (gpu_device))
+(typeattributeset gpu_service_33_0 (gpu_service))
+(typeattributeset gpuservice_33_0 (gpuservice))
+(typeattributeset graphics_config_prop_33_0 (graphics_config_prop))
+(typeattributeset graphics_device_33_0 (graphics_device))
+(typeattributeset graphicsstats_service_33_0 (graphicsstats_service))
+(typeattributeset gsi_data_file_33_0 (gsi_data_file))
+(typeattributeset gsi_metadata_file_33_0 (gsi_metadata_file))
+(typeattributeset gsi_public_metadata_file_33_0 (gsi_public_metadata_file))
+(typeattributeset gwp_asan_prop_33_0 (gwp_asan_prop))
+(typeattributeset hal_atrace_hwservice_33_0 (hal_atrace_hwservice))
+(typeattributeset hal_audio_hwservice_33_0 (hal_audio_hwservice))
+(typeattributeset hal_audio_service_33_0 (hal_audio_service))
+(typeattributeset hal_audiocontrol_hwservice_33_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_audiocontrol_service_33_0 (hal_audiocontrol_service))
+(typeattributeset hal_authsecret_hwservice_33_0 (hal_authsecret_hwservice))
+(typeattributeset hal_authsecret_service_33_0 (hal_authsecret_service))
+(typeattributeset hal_bluetooth_hwservice_33_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_33_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_33_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_33_0 (hal_camera_hwservice))
+(typeattributeset hal_camera_service_33_0 (hal_camera_service))
+(typeattributeset hal_can_bus_hwservice_33_0 (hal_can_bus_hwservice))
+(typeattributeset hal_can_controller_hwservice_33_0 (hal_can_controller_hwservice))
+(typeattributeset hal_cas_hwservice_33_0 (hal_cas_hwservice))
+(typeattributeset hal_codec2_hwservice_33_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_33_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_33_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_contexthub_hwservice_33_0 (hal_contexthub_hwservice))
+(typeattributeset hal_contexthub_service_33_0 (hal_contexthub_service))
+(typeattributeset hal_dice_service_33_0 (hal_dice_service))
+(typeattributeset hal_drm_hwservice_33_0 (hal_drm_hwservice))
+(typeattributeset hal_drm_service_33_0 (hal_drm_service))
+(typeattributeset hal_dumpstate_config_prop_33_0 (hal_dumpstate_config_prop))
+(typeattributeset hal_dumpstate_hwservice_33_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_dumpstate_service_33_0 (hal_dumpstate_service))
+(typeattributeset hal_evs_hwservice_33_0 (hal_evs_hwservice))
+(typeattributeset hal_evs_service_33_0 (hal_evs_service))
+(typeattributeset hal_face_hwservice_33_0 (hal_face_hwservice))
+(typeattributeset hal_face_service_33_0 (hal_face_service))
+(typeattributeset hal_fingerprint_hwservice_33_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_33_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_33_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_33_0 (hal_gnss_hwservice))
+(typeattributeset hal_gnss_service_33_0 (hal_gnss_service))
+(typeattributeset hal_graphics_allocator_hwservice_33_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_allocator_service_33_0 (hal_graphics_allocator_service))
+(typeattributeset hal_graphics_composer_hwservice_33_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_composer_server_tmpfs_33_0 (hal_graphics_composer_server_tmpfs))
+(typeattributeset hal_graphics_composer_service_33_0 (hal_graphics_composer_service))
+(typeattributeset hal_graphics_mapper_hwservice_33_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_33_0 (hal_health_hwservice))
+(typeattributeset hal_health_service_33_0 (hal_health_service))
+(typeattributeset hal_health_storage_hwservice_33_0 (hal_health_storage_hwservice))
+(typeattributeset hal_health_storage_service_33_0 (hal_health_storage_service))
+(typeattributeset hal_identity_service_33_0 (hal_identity_service))
+(typeattributeset hal_input_classifier_hwservice_33_0 (hal_input_classifier_hwservice))
+(typeattributeset hal_input_processor_service_33_0 (hal_input_processor_service))
+(typeattributeset hal_instrumentation_prop_33_0 (hal_instrumentation_prop))
+(typeattributeset hal_ir_hwservice_33_0 (hal_ir_hwservice))
+(typeattributeset hal_ir_service_33_0 (hal_ir_service))
+(typeattributeset hal_keymaster_hwservice_33_0 (hal_keymaster_hwservice))
+(typeattributeset hal_keymint_service_33_0 (hal_keymint_service))
+(typeattributeset hal_light_hwservice_33_0 (hal_light_hwservice))
+(typeattributeset hal_light_service_33_0 (hal_light_service))
+(typeattributeset hal_lowpan_hwservice_33_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_33_0 (hal_memtrack_hwservice))
+(typeattributeset hal_memtrack_service_33_0 (hal_memtrack_service))
+(typeattributeset hal_neuralnetworks_hwservice_33_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_neuralnetworks_service_33_0 (hal_neuralnetworks_service))
+(typeattributeset hal_nfc_hwservice_33_0 (hal_nfc_hwservice))
+(typeattributeset hal_nfc_service_33_0 (hal_nfc_service))
+(typeattributeset hal_nlinterceptor_service_33_0 (hal_nlinterceptor_service))
+(typeattributeset hal_oemlock_hwservice_33_0 (hal_oemlock_hwservice))
+(typeattributeset hal_oemlock_service_33_0 (hal_oemlock_service))
+(typeattributeset hal_omx_hwservice_33_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_33_0 (hal_power_hwservice))
+(typeattributeset hal_power_service_33_0 (hal_power_service))
+(typeattributeset hal_power_stats_hwservice_33_0 (hal_power_stats_hwservice))
+(typeattributeset hal_power_stats_service_33_0 (hal_power_stats_service))
+(typeattributeset hal_radio_service_33_0 (hal_radio_service))
+(typeattributeset hal_rebootescrow_service_33_0 (hal_rebootescrow_service))
+(typeattributeset hal_remotelyprovisionedcomponent_service_33_0 (hal_remotelyprovisionedcomponent_service))
+(typeattributeset hal_renderscript_hwservice_33_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_33_0 (hal_secure_element_hwservice))
+(typeattributeset hal_secureclock_service_33_0 (hal_secureclock_service))
+(typeattributeset hal_sensors_hwservice_33_0 (hal_sensors_hwservice))
+(typeattributeset hal_sensors_service_33_0 (hal_sensors_service))
+(typeattributeset hal_sharedsecret_service_33_0 (hal_sharedsecret_service))
+(typeattributeset hal_system_suspend_service_33_0 (hal_system_suspend_service))
+(typeattributeset hal_telephony_hwservice_33_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_33_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_33_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_33_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_33_0 (hal_tv_input_hwservice))
+(typeattributeset hal_tv_tuner_hwservice_33_0 (hal_tv_tuner_hwservice))
+(typeattributeset hal_tv_tuner_service_33_0 (hal_tv_tuner_service))
+(typeattributeset hal_usb_gadget_hwservice_33_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_hwservice_33_0 (hal_usb_hwservice))
+(typeattributeset hal_usb_service_33_0 (hal_usb_service))
+(typeattributeset hal_uwb_service_33_0 (hal_uwb_service))
+(typeattributeset hal_vehicle_hwservice_33_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vehicle_service_33_0 (hal_vehicle_service))
+(typeattributeset hal_vibrator_hwservice_33_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vibrator_service_33_0 (hal_vibrator_service))
+(typeattributeset hal_vr_hwservice_33_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_33_0 (hal_weaver_hwservice))
+(typeattributeset hal_weaver_service_33_0 (hal_weaver_service))
+(typeattributeset hal_wifi_hostapd_hwservice_33_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hostapd_service_33_0 (hal_wifi_hostapd_service))
+(typeattributeset hal_wifi_hwservice_33_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_33_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hal_wifi_supplicant_service_33_0 (hal_wifi_supplicant_service))
+(typeattributeset hardware_properties_service_33_0 (hardware_properties_service))
+(typeattributeset hardware_service_33_0 (hardware_service))
+(typeattributeset hci_attach_dev_33_0 (hci_attach_dev))
+(typeattributeset hdmi_config_prop_33_0 (hdmi_config_prop))
+(typeattributeset hdmi_control_service_33_0 (hdmi_control_service))
+(typeattributeset healthd_33_0 (healthd))
+(typeattributeset heapdump_data_file_33_0 (heapdump_data_file))
+(typeattributeset heapprofd_33_0 (heapprofd))
+(typeattributeset heapprofd_enabled_prop_33_0 (heapprofd_enabled_prop))
+(typeattributeset heapprofd_prop_33_0 (heapprofd_prop))
+(typeattributeset heapprofd_socket_33_0 (heapprofd_socket))
+(typeattributeset hidl_allocator_hwservice_33_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_33_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_33_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_33_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_33_0 (hidl_token_hwservice))
+(typeattributeset hint_service_33_0 (hint_service))
+(typeattributeset hw_random_device_33_0 (hw_random_device))
+(typeattributeset hw_timeout_multiplier_prop_33_0 (hw_timeout_multiplier_prop))
+(typeattributeset hwbinder_device_33_0 (hwbinder_device))
+(typeattributeset hwservice_contexts_file_33_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_33_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_33_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_33_0 (hwservicemanager_prop))
+(typeattributeset hypervisor_prop_33_0 (hypervisor_prop))
+(typeattributeset icon_file_33_0 (icon_file))
+(typeattributeset idmap_33_0 (idmap))
+(typeattributeset idmap_exec_33_0 (idmap_exec))
+(typeattributeset idmap_service_33_0 (idmap_service))
+(typeattributeset iio_device_33_0 (iio_device))
+(typeattributeset imms_service_33_0 (imms_service))
+(typeattributeset incident_33_0 (incident))
+(typeattributeset incident_data_file_33_0 (incident_data_file))
+(typeattributeset incident_helper_33_0 (incident_helper))
+(typeattributeset incident_service_33_0 (incident_service))
+(typeattributeset incidentd_33_0 (incidentd))
+(typeattributeset incremental_control_file_33_0 (incremental_control_file))
+(typeattributeset incremental_prop_33_0 (incremental_prop))
+(typeattributeset incremental_service_33_0 (incremental_service))
+(typeattributeset init_33_0 (init))
+(typeattributeset init_exec_33_0 (init_exec))
+(typeattributeset init_service_status_prop_33_0 (init_service_status_prop))
+(typeattributeset init_tmpfs_33_0 (init_tmpfs))
+(typeattributeset inotify_33_0 (inotify))
+(typeattributeset input_device_33_0 (input_device))
+(typeattributeset input_method_service_33_0 (input_method_service))
+(typeattributeset input_service_33_0 (input_service))
+(typeattributeset inputflinger_33_0 (inputflinger))
+(typeattributeset inputflinger_exec_33_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_33_0 (inputflinger_service))
+(typeattributeset install_data_file_33_0 (install_data_file))
+(typeattributeset installd_33_0 (installd))
+(typeattributeset installd_exec_33_0 (installd_exec))
+(typeattributeset installd_service_33_0 (installd_service))
+(typeattributeset ion_device_33_0 (ion_device))
+(typeattributeset iorap_inode2filename_33_0 (iorap_inode2filename))
+(typeattributeset iorap_inode2filename_exec_33_0 (iorap_inode2filename_exec))
+(typeattributeset iorap_inode2filename_tmpfs_33_0 (iorap_inode2filename_tmpfs))
+(typeattributeset iorap_prefetcherd_33_0 (iorap_prefetcherd))
+(typeattributeset iorap_prefetcherd_exec_33_0 (iorap_prefetcherd_exec))
+(typeattributeset iorap_prefetcherd_tmpfs_33_0 (iorap_prefetcherd_tmpfs))
+(typeattributeset iorapd_33_0 (iorapd))
+(typeattributeset iorapd_data_file_33_0 (iorapd_data_file))
+(typeattributeset iorapd_exec_33_0 (iorapd_exec))
+(typeattributeset iorapd_service_33_0 (iorapd_service))
+(typeattributeset iorapd_tmpfs_33_0 (iorapd_tmpfs))
+(typeattributeset ipsec_service_33_0 (ipsec_service))
+(typeattributeset iris_service_33_0 (iris_service))
+(typeattributeset iris_vendor_data_file_33_0 (iris_vendor_data_file))
+(typeattributeset isolated_app_33_0 (isolated_app))
+(typeattributeset jobscheduler_service_33_0 (jobscheduler_service))
+(typeattributeset kernel_33_0 (kernel))
+(typeattributeset keychain_data_file_33_0 (keychain_data_file))
+(typeattributeset keychord_device_33_0 (keychord_device))
+(typeattributeset keyguard_config_prop_33_0 (keyguard_config_prop))
+(typeattributeset keystore2_key_contexts_file_33_0 (keystore2_key_contexts_file))
+(typeattributeset keystore_33_0 (keystore))
+(typeattributeset keystore_compat_hal_service_33_0 (keystore_compat_hal_service))
+(typeattributeset keystore_data_file_33_0 (keystore_data_file))
+(typeattributeset keystore_exec_33_0 (keystore_exec))
+(typeattributeset keystore_maintenance_service_33_0 (keystore_maintenance_service))
+(typeattributeset keystore_metrics_service_33_0 (keystore_metrics_service))
+(typeattributeset keystore_service_33_0 (keystore_service))
+(typeattributeset kmsg_debug_device_33_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_33_0 (kmsg_device))
+(typeattributeset labeledfs_33_0 (labeledfs))
+(typeattributeset launcherapps_service_33_0 (launcherapps_service))
+(typeattributeset legacy_permission_service_33_0 (legacy_permission_service))
+(typeattributeset legacykeystore_service_33_0 (legacykeystore_service))
+(typeattributeset libc_debug_prop_33_0 (libc_debug_prop))
+(typeattributeset light_service_33_0 (light_service))
+(typeattributeset linkerconfig_file_33_0 (linkerconfig_file))
+(typeattributeset llkd_33_0 (llkd))
+(typeattributeset llkd_exec_33_0 (llkd_exec))
+(typeattributeset llkd_prop_33_0 (llkd_prop))
+(typeattributeset lmkd_33_0 (lmkd))
+(typeattributeset lmkd_config_prop_33_0 (lmkd_config_prop))
+(typeattributeset lmkd_exec_33_0 (lmkd_exec))
+(typeattributeset lmkd_prop_33_0 (lmkd_prop))
+(typeattributeset lmkd_socket_33_0 (lmkd_socket))
+(typeattributeset locale_service_33_0 (locale_service))
+(typeattributeset location_service_33_0 (location_service))
+(typeattributeset location_time_zone_manager_service_33_0 (location_time_zone_manager_service))
+(typeattributeset lock_settings_service_33_0 (lock_settings_service))
+(typeattributeset log_prop_33_0 (log_prop))
+(typeattributeset log_tag_prop_33_0 (log_tag_prop))
+(typeattributeset logcat_exec_33_0 (logcat_exec))
+(typeattributeset logd_33_0 (logd))
+(typeattributeset logd_exec_33_0 (logd_exec))
+(typeattributeset logd_prop_33_0 (logd_prop))
+(typeattributeset logd_socket_33_0 (logd_socket))
+(typeattributeset logdr_socket_33_0 (logdr_socket))
+(typeattributeset logdw_socket_33_0 (logdw_socket))
+(typeattributeset logpersist_33_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_33_0 (logpersistd_logging_prop))
+(typeattributeset loop_control_device_33_0 (loop_control_device))
+(typeattributeset loop_device_33_0 (loop_device))
+(typeattributeset looper_stats_service_33_0 (looper_stats_service))
+(typeattributeset lowpan_device_33_0 (lowpan_device))
+(typeattributeset lowpan_prop_33_0 (lowpan_prop))
+(typeattributeset lowpan_service_33_0 (lowpan_service))
+(typeattributeset lpdump_service_33_0 (lpdump_service))
+(typeattributeset lpdumpd_prop_33_0 (lpdumpd_prop))
+(typeattributeset mac_perms_file_33_0 (mac_perms_file))
+(typeattributeset mdns_service_33_0 (mdns_service))
+(typeattributeset mdns_socket_33_0 (mdns_socket))
+(typeattributeset mdnsd_33_0 (mdnsd))
+(typeattributeset mdnsd_socket_33_0 (mdnsd_socket))
+(typeattributeset media_communication_service_33_0 (media_communication_service))
+(typeattributeset media_config_prop_33_0 (media_config_prop))
+(typeattributeset media_data_file_33_0 (media_data_file))
+(typeattributeset media_metrics_service_33_0 (media_metrics_service))
+(typeattributeset media_projection_service_33_0 (media_projection_service))
+(typeattributeset media_router_service_33_0 (media_router_service))
+(typeattributeset media_rw_data_file_33_0 (media_rw_data_file media_userdir_file))
+(typeattributeset media_session_service_33_0 (media_session_service))
+(typeattributeset media_variant_prop_33_0 (media_variant_prop))
+(typeattributeset mediadrm_config_prop_33_0 (mediadrm_config_prop))
+(typeattributeset mediadrmserver_33_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_33_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_33_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_33_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_33_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_33_0 (mediaextractor_service))
+(typeattributeset mediaextractor_tmpfs_33_0 (mediaextractor_tmpfs))
+(typeattributeset mediametrics_33_0 (mediametrics))
+(typeattributeset mediametrics_exec_33_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_33_0 (mediametrics_service))
+(typeattributeset mediaprovider_33_0 (mediaprovider))
+(typeattributeset mediaserver_33_0 (mediaserver))
+(typeattributeset mediaserver_exec_33_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_33_0 (mediaserver_service))
+(typeattributeset mediaserver_tmpfs_33_0 (mediaserver_tmpfs))
+(typeattributeset mediaswcodec_33_0 (mediaswcodec))
+(typeattributeset mediaswcodec_exec_33_0 (mediaswcodec_exec))
+(typeattributeset mediatranscoding_33_0 (mediatranscoding))
+(typeattributeset mediatranscoding_service_33_0 (mediatranscoding_service))
+(typeattributeset meminfo_service_33_0 (meminfo_service))
+(typeattributeset memtrackproxy_service_33_0 (memtrackproxy_service))
+(typeattributeset metadata_block_device_33_0 (metadata_block_device))
+(typeattributeset metadata_bootstat_file_33_0 (metadata_bootstat_file))
+(typeattributeset metadata_file_33_0 (metadata_file))
+(typeattributeset method_trace_data_file_33_0 (method_trace_data_file))
+(typeattributeset midi_service_33_0 (midi_service))
+(typeattributeset mirror_data_file_33_0 (mirror_data_file))
+(typeattributeset misc_block_device_33_0 (misc_block_device))
+(typeattributeset misc_logd_file_33_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_33_0 (misc_user_data_file))
+(typeattributeset mm_events_config_prop_33_0 (mm_events_config_prop))
+(typeattributeset mmc_prop_33_0 (mmc_prop))
+(typeattributeset mnt_expand_file_33_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_33_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_33_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_pass_through_file_33_0 (mnt_pass_through_file))
+(typeattributeset mnt_product_file_33_0 (mnt_product_file))
+(typeattributeset mnt_sdcard_file_33_0 (mnt_sdcard_file))
+(typeattributeset mnt_user_file_33_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_33_0 (mnt_vendor_file))
+(typeattributeset mock_ota_prop_33_0 (mock_ota_prop))
+(typeattributeset modprobe_33_0 (modprobe))
+(typeattributeset module_sdkextensions_prop_33_0 (module_sdkextensions_prop))
+(typeattributeset mount_service_33_0 (mount_service))
+(typeattributeset mqueue_33_0 (mqueue))
+(typeattributeset mtp_33_0 (mtp))
+(typeattributeset mtp_device_33_0 (mtp_device))
+(typeattributeset mtp_exec_33_0 (mtp_exec))
+(typeattributeset mtpd_socket_33_0 (mtpd_socket))
+(typeattributeset music_recognition_service_33_0 (music_recognition_service))
+(typeattributeset nativetest_data_file_33_0 (nativetest_data_file))
+(typeattributeset nearby_service_33_0 (nearby_service))
+(typeattributeset net_data_file_33_0 (net_data_file))
+(typeattributeset net_dns_prop_33_0 (net_dns_prop))
+(typeattributeset net_radio_prop_33_0 (net_radio_prop))
+(typeattributeset netd_33_0 (netd))
+(typeattributeset netd_exec_33_0 (netd_exec))
+(typeattributeset netd_listener_service_33_0 (netd_listener_service))
+(typeattributeset netd_service_33_0 (netd_service))
+(typeattributeset netif_33_0 (netif))
+(typeattributeset netpolicy_service_33_0 (netpolicy_service))
+(typeattributeset netstats_service_33_0 (netstats_service))
+(typeattributeset netutils_wrapper_33_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_33_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_33_0 (network_management_service))
+(typeattributeset network_score_service_33_0 (network_score_service))
+(typeattributeset network_stack_33_0 (network_stack))
+(typeattributeset network_stack_service_33_0 (network_stack_service))
+(typeattributeset network_time_update_service_33_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_33_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_33_0 (network_watchlist_service))
+(typeattributeset nfc_33_0 (nfc))
+(typeattributeset nfc_data_file_33_0 (nfc_data_file))
+(typeattributeset nfc_device_33_0 (nfc_device))
+(typeattributeset nfc_logs_data_file_33_0 (nfc_logs_data_file))
+(typeattributeset nfc_prop_33_0 (nfc_prop))
+(typeattributeset nfc_service_33_0 (nfc_service))
+(typeattributeset nnapi_ext_deny_product_prop_33_0 (nnapi_ext_deny_product_prop))
+(typeattributeset node_33_0 (node))
+(typeattributeset notification_service_33_0 (notification_service))
+(typeattributeset null_device_33_0 (null_device))
+(typeattributeset oem_lock_service_33_0 (oem_lock_service))
+(typeattributeset oem_unlock_prop_33_0 (oem_unlock_prop))
+(typeattributeset oemfs_33_0 (oemfs))
+(typeattributeset ota_data_file_33_0 (ota_data_file))
+(typeattributeset ota_metadata_file_33_0 (ota_metadata_file))
+(typeattributeset ota_package_file_33_0 (ota_package_file))
+(typeattributeset ota_prop_33_0 (ota_prop))
+(typeattributeset otadexopt_service_33_0 (otadexopt_service))
+(typeattributeset otapreopt_chroot_33_0 (otapreopt_chroot))
+(typeattributeset overlay_prop_33_0 (overlay_prop))
+(typeattributeset overlay_service_33_0 (overlay_service))
+(typeattributeset overlayfs_file_33_0 (overlayfs_file))
+(typeattributeset owntty_device_33_0 (owntty_device))
+(typeattributeset pac_proxy_service_33_0 (pac_proxy_service))
+(typeattributeset package_native_service_33_0 (package_native_service))
+(typeattributeset package_service_33_0 (package_service))
+(typeattributeset packagemanager_config_prop_33_0 (packagemanager_config_prop))
+(typeattributeset packages_list_file_33_0 (packages_list_file))
+(typeattributeset pan_result_prop_33_0 (pan_result_prop))
+(typeattributeset password_slot_metadata_file_33_0 (password_slot_metadata_file))
+(typeattributeset pdx_bufferhub_client_channel_socket_33_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_33_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_33_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_33_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_33_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_33_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_33_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_33_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_33_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_33_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_33_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_33_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_33_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_33_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_33_0 (pdx_performance_dir))
+(typeattributeset people_service_33_0 (people_service))
+(typeattributeset perfetto_33_0 (perfetto))
+(typeattributeset performanced_33_0 (performanced))
+(typeattributeset performanced_exec_33_0 (performanced_exec))
+(typeattributeset permission_checker_service_33_0 (permission_checker_service))
+(typeattributeset permission_service_33_0 (permission_service))
+(typeattributeset permissionmgr_service_33_0 (permissionmgr_service))
+(typeattributeset persist_debug_prop_33_0 (persist_debug_prop))
+(typeattributeset persist_vendor_debug_wifi_prop_33_0 (persist_vendor_debug_wifi_prop))
+(typeattributeset persist_wm_debug_prop_33_0 (persist_wm_debug_prop))
+(typeattributeset persistent_data_block_service_33_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_33_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_33_0 (pinner_service))
+(typeattributeset pipefs_33_0 (pipefs))
+(typeattributeset platform_app_33_0 (platform_app))
+(typeattributeset platform_compat_service_33_0 (platform_compat_service))
+(typeattributeset pmsg_device_33_0 (pmsg_device))
+(typeattributeset port_33_0 (port))
+(typeattributeset port_device_33_0 (port_device))
+(typeattributeset postinstall_33_0 (postinstall))
+(typeattributeset postinstall_apex_mnt_dir_33_0 (postinstall_apex_mnt_dir))
+(typeattributeset postinstall_file_33_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_33_0 (postinstall_mnt_dir))
+(typeattributeset power_debug_prop_33_0 (power_debug_prop))
+(typeattributeset power_service_33_0 (power_service))
+(typeattributeset powerctl_prop_33_0 (powerctl_prop))
+(typeattributeset powerstats_service_33_0 (powerstats_service))
+(typeattributeset ppp_33_0 (ppp))
+(typeattributeset ppp_device_33_0 (ppp_device))
+(typeattributeset ppp_exec_33_0 (ppp_exec))
+(typeattributeset preloads_data_file_33_0 (preloads_data_file))
+(typeattributeset preloads_media_file_33_0 (preloads_media_file))
+(typeattributeset prereboot_data_file_33_0 (prereboot_data_file))
+(typeattributeset print_service_33_0 (print_service))
+(typeattributeset priv_app_33_0 (priv_app))
+(typeattributeset privapp_data_file_33_0 (privapp_data_file))
+(typeattributeset proc_33_0 (proc))
+(typeattributeset proc_abi_33_0 (proc_abi))
+(typeattributeset proc_asound_33_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_33_0 (proc_bluetooth_writable))
+(typeattributeset proc_bootconfig_33_0 (proc_bootconfig))
+(typeattributeset proc_bpf_33_0 (proc_bpf))
+(typeattributeset proc_buddyinfo_33_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_33_0 (proc_cmdline))
+(typeattributeset proc_cpu_alignment_33_0 (proc_cpu_alignment))
+(typeattributeset proc_cpuinfo_33_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_33_0 (proc_dirty))
+(typeattributeset proc_diskstats_33_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_33_0 (proc_drop_caches))
+(typeattributeset proc_extra_free_kbytes_33_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_33_0 (proc_filesystems))
+(typeattributeset proc_fs_verity_33_0 (proc_fs_verity))
+(typeattributeset proc_hostname_33_0 (proc_hostname))
+(typeattributeset proc_hung_task_33_0 (proc_hung_task))
+(typeattributeset proc_interrupts_33_0 (proc_interrupts))
+(typeattributeset proc_iomem_33_0 (proc_iomem))
+(typeattributeset proc_kallsyms_33_0 (proc_kallsyms))
+(typeattributeset proc_keys_33_0 (proc_keys))
+(typeattributeset proc_kmsg_33_0 (proc_kmsg))
+(typeattributeset proc_kpageflags_33_0 (proc_kpageflags))
+(typeattributeset proc_loadavg_33_0 (proc_loadavg))
+(typeattributeset proc_locks_33_0 (proc_locks))
+(typeattributeset proc_lowmemorykiller_33_0 (proc_lowmemorykiller))
+(typeattributeset proc_max_map_count_33_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_33_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_33_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_33_0 (proc_misc))
+(typeattributeset proc_modules_33_0 (proc_modules))
+(typeattributeset proc_mounts_33_0 (proc_mounts))
+(typeattributeset proc_net_33_0 (proc_net))
+(typeattributeset proc_net_tcp_udp_33_0 (proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_33_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_33_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_33_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_33_0 (proc_panic))
+(typeattributeset proc_perf_33_0 (proc_perf))
+(typeattributeset proc_pid_max_33_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_33_0 (proc_pipe_conf))
+(typeattributeset proc_pressure_cpu_33_0 (proc_pressure_cpu))
+(typeattributeset proc_pressure_io_33_0 (proc_pressure_io))
+(typeattributeset proc_pressure_mem_33_0 (proc_pressure_mem))
+(typeattributeset proc_qtaguid_ctrl_33_0 (proc_qtaguid_ctrl))
+(typeattributeset proc_qtaguid_stat_33_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_33_0 (proc_random))
+(typeattributeset proc_sched_33_0 (proc_sched))
+(typeattributeset proc_security_33_0 (proc_security))
+(typeattributeset proc_slabinfo_33_0 (proc_slabinfo))
+(typeattributeset proc_stat_33_0 (proc_stat))
+(typeattributeset proc_swaps_33_0 (proc_swaps))
+(typeattributeset proc_sysrq_33_0 (proc_sysrq))
+(typeattributeset proc_timer_33_0 (proc_timer))
+(typeattributeset proc_tty_drivers_33_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_33_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_33_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_33_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_33_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_33_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_33_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_33_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_33_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_33_0 (proc_uptime))
+(typeattributeset proc_vendor_sched_33_0 (proc_vendor_sched))
+(typeattributeset proc_version_33_0 (proc_version))
+(typeattributeset proc_vmallocinfo_33_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_33_0 (proc_vmstat))
+(typeattributeset proc_watermark_boost_factor_33_0 (proc_watermark_boost_factor))
+(typeattributeset proc_watermark_scale_factor_33_0 (proc_watermark_scale_factor))
+(typeattributeset proc_zoneinfo_33_0 (proc_zoneinfo))
+(typeattributeset processinfo_service_33_0 (processinfo_service))
+(typeattributeset procstats_service_33_0 (procstats_service))
+(typeattributeset profman_33_0 (profman))
+(typeattributeset profman_dump_data_file_33_0 (profman_dump_data_file))
+(typeattributeset profman_exec_33_0 (profman_exec))
+(typeattributeset properties_device_33_0 (properties_device))
+(typeattributeset properties_serial_33_0 (properties_serial))
+(typeattributeset property_contexts_file_33_0 (property_contexts_file))
+(typeattributeset property_data_file_33_0 (property_data_file))
+(typeattributeset property_info_33_0 (property_info))
+(typeattributeset property_service_version_prop_33_0 (property_service_version_prop))
+(typeattributeset property_socket_33_0 (property_socket))
+(typeattributeset provisioned_prop_33_0 (provisioned_prop))
+(typeattributeset pstorefs_33_0 (pstorefs))
+(typeattributeset ptmx_device_33_0 (ptmx_device))
+(typeattributeset qemu_hw_prop_33_0 (qemu_hw_prop))
+(typeattributeset qemu_sf_lcd_density_prop_33_0 (qemu_sf_lcd_density_prop))
+(typeattributeset qtaguid_device_33_0 (qtaguid_device))
+(typeattributeset racoon_33_0 (racoon))
+(typeattributeset racoon_exec_33_0 (racoon_exec))
+(typeattributeset racoon_socket_33_0 (racoon_socket))
+(typeattributeset radio_33_0 (radio))
+(typeattributeset radio_control_prop_33_0 (radio_control_prop))
+(typeattributeset radio_core_data_file_33_0 (radio_core_data_file))
+(typeattributeset radio_data_file_33_0 (radio_data_file))
+(typeattributeset radio_device_33_0 (radio_device))
+(typeattributeset radio_prop_33_0 (radio_prop))
+(typeattributeset radio_service_33_0 (radio_service))
+(typeattributeset ram_device_33_0 (ram_device))
+(typeattributeset random_device_33_0 (random_device))
+(typeattributeset reboot_readiness_service_33_0 (reboot_readiness_service))
+(typeattributeset rebootescrow_hal_prop_33_0 (rebootescrow_hal_prop))
+(typeattributeset recovery_33_0 (recovery))
+(typeattributeset recovery_block_device_33_0 (recovery_block_device))
+(typeattributeset recovery_config_prop_33_0 (recovery_config_prop))
+(typeattributeset recovery_data_file_33_0 (recovery_data_file))
+(typeattributeset recovery_persist_33_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_33_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_33_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_33_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_33_0 (recovery_service))
+(typeattributeset recovery_socket_33_0 (recovery_socket))
+(typeattributeset registry_service_33_0 (registry_service))
+(typeattributeset remotelyprovisionedkeypool_service_33_0 (remotelyprovisionedkeypool_service))
+(typeattributeset remoteprovisioning_service_33_0 (remoteprovisioning_service))
+(typeattributeset resourcecache_data_file_33_0 (resourcecache_data_file))
+(typeattributeset resources_manager_service_33_0 (resources_manager_service))
+(typeattributeset restorecon_prop_33_0 (restorecon_prop))
+(typeattributeset restrictions_service_33_0 (restrictions_service))
+(typeattributeset retaildemo_prop_33_0 (retaildemo_prop))
+(typeattributeset rild_debug_socket_33_0 (rild_debug_socket))
+(typeattributeset rild_socket_33_0 (rild_socket))
+(typeattributeset ringtone_file_33_0 (ringtone_file))
+(typeattributeset role_service_33_0 (role_service))
+(typeattributeset rollback_service_33_0 (rollback_service))
+(typeattributeset root_block_device_33_0 (root_block_device))
+(typeattributeset rootdisk_sysdev_33_0 (rootdisk_sysdev))
+(typeattributeset rootfs_33_0 (rootfs))
+(typeattributeset rpmsg_device_33_0 (rpmsg_device))
+(typeattributeset rs_33_0 (rs))
+(typeattributeset rs_exec_33_0 (rs_exec))
+(typeattributeset rss_hwm_reset_33_0 (rss_hwm_reset))
+(typeattributeset rtc_device_33_0 (rtc_device))
+(typeattributeset rttmanager_service_33_0 (rttmanager_service))
+(typeattributeset runas_33_0 (runas))
+(typeattributeset runas_app_33_0 (runas_app))
+(typeattributeset runas_exec_33_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_33_0 (runtime_event_log_tags_file))
+(typeattributeset runtime_service_33_0 (runtime_service))
+(typeattributeset safemode_prop_33_0 (safemode_prop))
+(typeattributeset same_process_hal_file_33_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_33_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_33_0 (scheduling_policy_service))
+(typeattributeset sdcard_block_device_33_0 (sdcard_block_device))
+(typeattributeset sdcardd_33_0 (sdcardd))
+(typeattributeset sdcardd_exec_33_0 (sdcardd_exec))
+(typeattributeset sdcardfs_33_0 (sdcardfs))
+(typeattributeset sdk_sandbox_service_33_0 (sdk_sandbox_service))
+(typeattributeset seapp_contexts_file_33_0 (seapp_contexts_file))
+(typeattributeset search_service_33_0 (search_service))
+(typeattributeset search_ui_service_33_0 (search_ui_service))
+(typeattributeset sec_key_att_app_id_provider_service_33_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_33_0 (secure_element))
+(typeattributeset secure_element_device_33_0 (secure_element_device))
+(typeattributeset secure_element_service_33_0 (secure_element_service))
+(typeattributeset securityfs_33_0 (securityfs))
+(typeattributeset selection_toolbar_service_33_0 (selection_toolbar_service))
+(typeattributeset selinuxfs_33_0 (selinuxfs))
+(typeattributeset sendbug_config_prop_33_0 (sendbug_config_prop))
+(typeattributeset sensor_privacy_service_33_0 (sensor_privacy_service))
+(typeattributeset sensors_device_33_0 (sensors_device))
+(typeattributeset sensorservice_service_33_0 (sensorservice_service))
+(typeattributeset sepolicy_file_33_0 (sepolicy_file))
+(typeattributeset serial_device_33_0 (serial_device))
+(typeattributeset serial_service_33_0 (serial_service))
+(typeattributeset serialno_prop_33_0 (serialno_prop))
+(typeattributeset server_configurable_flags_data_file_33_0 (server_configurable_flags_data_file))
+(typeattributeset service_contexts_file_33_0 (service_contexts_file))
+(typeattributeset service_manager_service_33_0 (service_manager_service))
+(typeattributeset service_manager_vndservice_33_0 (service_manager_vndservice))
+(typeattributeset servicediscovery_service_33_0 (servicediscovery_service))
+(typeattributeset servicemanager_33_0 (servicemanager))
+(typeattributeset servicemanager_exec_33_0 (servicemanager_exec))
+(typeattributeset settings_service_33_0 (settings_service))
+(typeattributeset sgdisk_33_0 (sgdisk))
+(typeattributeset sgdisk_exec_33_0 (sgdisk_exec))
+(typeattributeset shared_relro_33_0 (shared_relro))
+(typeattributeset shared_relro_file_33_0 (shared_relro_file))
+(typeattributeset shell_33_0 (shell))
+(typeattributeset shell_data_file_33_0 (shell_data_file))
+(typeattributeset shell_exec_33_0 (shell_exec))
+(typeattributeset shell_prop_33_0 (shell_prop))
+(typeattributeset shell_test_data_file_33_0 (shell_test_data_file))
+(typeattributeset shm_33_0 (shm))
+(typeattributeset shortcut_manager_icons_33_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_33_0 (shortcut_service))
+(typeattributeset simpleperf_33_0 (simpleperf))
+(typeattributeset simpleperf_app_runner_33_0 (simpleperf_app_runner))
+(typeattributeset simpleperf_app_runner_exec_33_0 (simpleperf_app_runner_exec))
+(typeattributeset slice_service_33_0 (slice_service))
+(typeattributeset slideshow_33_0 (slideshow))
+(typeattributeset smart_idle_maint_enabled_prop_33_0 (smart_idle_maint_enabled_prop))
+(typeattributeset smartspace_service_33_0 (smartspace_service))
+(typeattributeset snapshotctl_log_data_file_33_0 (snapshotctl_log_data_file))
+(typeattributeset snapuserd_proxy_socket_33_0 (snapuserd_proxy_socket))
+(typeattributeset snapuserd_socket_33_0 (snapuserd_socket))
+(typeattributeset soc_prop_33_0 (soc_prop))
+(typeattributeset socket_device_33_0 (socket_device))
+(typeattributeset socket_hook_prop_33_0 (socket_hook_prop))
+(typeattributeset sockfs_33_0 (sockfs))
+(typeattributeset sota_prop_33_0 (sota_prop))
+(typeattributeset soundtrigger_middleware_service_33_0 (soundtrigger_middleware_service))
+(typeattributeset speech_recognition_service_33_0 (speech_recognition_service))
+(typeattributeset sqlite_log_prop_33_0 (sqlite_log_prop))
+(typeattributeset staged_install_file_33_0 (staged_install_file))
+(typeattributeset staging_data_file_33_0 (staging_data_file))
+(typeattributeset stats_data_file_33_0 (stats_data_file))
+(typeattributeset statsd_33_0 (statsd))
+(typeattributeset statsd_exec_33_0 (statsd_exec))
+(typeattributeset statsdw_socket_33_0 (statsdw_socket))
+(typeattributeset statusbar_service_33_0 (statusbar_service))
+(typeattributeset storage_config_prop_33_0 (storage_config_prop))
+(typeattributeset storage_file_33_0 (storage_file))
+(typeattributeset storage_stub_file_33_0 (storage_stub_file))
+(typeattributeset storaged_service_33_0 (storaged_service))
+(typeattributeset storagemanager_config_prop_33_0 (storagemanager_config_prop))
+(typeattributeset storagestats_service_33_0 (storagestats_service))
+(typeattributeset su_33_0 (su))
+(typeattributeset su_exec_33_0 (su_exec))
+(typeattributeset super_block_device_33_0 (super_block_device))
+(typeattributeset surfaceflinger_33_0 (surfaceflinger))
+(typeattributeset surfaceflinger_color_prop_33_0 (surfaceflinger_color_prop))
+(typeattributeset surfaceflinger_display_prop_33_0 (surfaceflinger_display_prop))
+(typeattributeset surfaceflinger_prop_33_0 (surfaceflinger_prop))
+(typeattributeset surfaceflinger_service_33_0 (surfaceflinger_service))
+(typeattributeset surfaceflinger_tmpfs_33_0 (surfaceflinger_tmpfs))
+(typeattributeset suspend_prop_33_0 (suspend_prop))
+(typeattributeset swap_block_device_33_0 (swap_block_device))
+(typeattributeset sysfs_33_0 (sysfs))
+(typeattributeset sysfs_android_usb_33_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_33_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_33_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devfreq_cur_33_0 (sysfs_devfreq_cur))
+(typeattributeset sysfs_devfreq_dir_33_0 (sysfs_devfreq_dir))
+(typeattributeset sysfs_devices_block_33_0 (sysfs_devices_block))
+(typeattributeset sysfs_devices_cs_etm_33_0 (sysfs_devices_cs_etm))
+(typeattributeset sysfs_devices_system_cpu_33_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_33_0 (sysfs_dm))
+(typeattributeset sysfs_dm_verity_33_0 (sysfs_dm_verity))
+(typeattributeset sysfs_dma_heap_33_0 (sysfs_dma_heap))
+(typeattributeset sysfs_dmabuf_stats_33_0 (sysfs_dmabuf_stats))
+(typeattributeset sysfs_dt_firmware_android_33_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_extcon_33_0 (sysfs_extcon))
+(typeattributeset sysfs_fs_ext4_features_33_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_fs_f2fs_33_0 (sysfs_fs_f2fs))
+(typeattributeset sysfs_fs_fuse_bpf_33_0 (sysfs_fs_fuse_bpf))
+(typeattributeset sysfs_fs_incfs_features_33_0 (sysfs_fs_incfs_features))
+(typeattributeset sysfs_fs_incfs_metrics_33_0 (sysfs_fs_incfs_metrics))
+(typeattributeset sysfs_gpu_33_0 (sysfs_gpu))
+(typeattributeset sysfs_hwrandom_33_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ion_33_0 (sysfs_ion))
+(typeattributeset sysfs_ipv4_33_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_33_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_33_0 (sysfs_leds))
+(typeattributeset sysfs_loop_33_0 (sysfs_loop))
+(typeattributeset sysfs_lowmemorykiller_33_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_lru_gen_enabled_33_0 (sysfs_lru_gen_enabled))
+(typeattributeset sysfs_net_33_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_33_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_33_0 (sysfs_power))
+(typeattributeset sysfs_rtc_33_0 (sysfs_rtc))
+(typeattributeset sysfs_suspend_stats_33_0 (sysfs_suspend_stats))
+(typeattributeset sysfs_switch_33_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_33_0 (sysfs_thermal))
+(typeattributeset sysfs_transparent_hugepage_33_0 (sysfs_transparent_hugepage))
+(typeattributeset sysfs_uhid_33_0 (sysfs_uhid))
+(typeattributeset sysfs_uio_33_0 (sysfs_uio))
+(typeattributeset sysfs_usb_33_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_33_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vendor_sched_33_0 (sysfs_vendor_sched))
+(typeattributeset sysfs_vibrator_33_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_33_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_33_0 (sysfs_wakeup))
+(typeattributeset sysfs_wakeup_reasons_33_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_33_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_33_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_33_0 (sysfs_zram_uevent))
+(typeattributeset system_app_33_0 (system_app))
+(typeattributeset system_app_data_file_33_0 (system_app_data_file))
+(typeattributeset system_app_service_33_0 (system_app_service))
+(typeattributeset system_asan_options_file_33_0 (system_asan_options_file))
+(typeattributeset system_block_device_33_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_33_0 (system_boot_reason_prop))
+(typeattributeset system_bootstrap_lib_file_33_0 (system_bootstrap_lib_file))
+(typeattributeset system_config_service_33_0 (system_config_service))
+(typeattributeset system_data_file_33_0 (system_data_file system_userdir_file))
+(typeattributeset system_data_root_file_33_0 (system_data_root_file))
+(typeattributeset system_dlkm_file_33_0 (system_dlkm_file))
+(typeattributeset system_event_log_tags_file_33_0 (system_event_log_tags_file))
+(typeattributeset system_file_33_0 (system_file))
+(typeattributeset system_group_file_33_0 (system_group_file))
+(typeattributeset system_jvmti_agent_prop_33_0 (system_jvmti_agent_prop))
+(typeattributeset system_lib_file_33_0 (system_lib_file))
+(typeattributeset system_linker_config_file_33_0 (system_linker_config_file))
+(typeattributeset system_linker_exec_33_0 (system_linker_exec))
+(typeattributeset system_lmk_prop_33_0 (system_lmk_prop))
+(typeattributeset system_ndebug_socket_33_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_33_0 (system_net_netd_hwservice))
+(typeattributeset system_passwd_file_33_0 (system_passwd_file))
+(typeattributeset system_prop_33_0 (system_prop))
+(typeattributeset system_seccomp_policy_file_33_0 (system_seccomp_policy_file))
+(typeattributeset system_security_cacerts_file_33_0 (system_security_cacerts_file))
+(typeattributeset system_server_33_0 (system_server))
+(typeattributeset system_server_dumper_service_33_0 (system_server_dumper_service))
+(typeattributeset system_server_tmpfs_33_0 (system_server_tmpfs))
+(typeattributeset system_suspend_control_internal_service_33_0 (system_suspend_control_internal_service))
+(typeattributeset system_suspend_control_service_33_0 (system_suspend_control_service))
+(typeattributeset system_suspend_hwservice_33_0 (system_suspend_hwservice))
+(typeattributeset system_trace_prop_33_0 (system_trace_prop))
+(typeattributeset system_unsolzygote_socket_33_0 (system_unsolzygote_socket))
+(typeattributeset system_update_service_33_0 (system_update_service))
+(typeattributeset system_wifi_keystore_hwservice_33_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_33_0 (system_wpa_socket))
+(typeattributeset system_zoneinfo_file_33_0 (system_zoneinfo_file))
+(typeattributeset systemkeys_data_file_33_0 (systemkeys_data_file))
+(typeattributeset systemsound_config_prop_33_0 (systemsound_config_prop))
+(typeattributeset tare_service_33_0 (tare_service))
+(typeattributeset task_profiles_api_file_33_0 (task_profiles_api_file))
+(typeattributeset task_profiles_file_33_0 (task_profiles_file))
+(typeattributeset task_service_33_0 (task_service))
+(typeattributeset tcpdump_exec_33_0 (tcpdump_exec))
+(typeattributeset tee_33_0 (tee))
+(typeattributeset tee_data_file_33_0 (tee_data_file))
+(typeattributeset tee_device_33_0 (tee_device))
+(typeattributeset telecom_service_33_0 (telecom_service))
+(typeattributeset telephony_config_prop_33_0 (telephony_config_prop))
+(typeattributeset telephony_status_prop_33_0 (telephony_status_prop))
+(typeattributeset test_boot_reason_prop_33_0 (test_boot_reason_prop))
+(typeattributeset test_harness_prop_33_0 (test_harness_prop))
+(typeattributeset testharness_service_33_0 (testharness_service))
+(typeattributeset tethering_service_33_0 (tethering_service))
+(typeattributeset textclassification_service_33_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_33_0 (textclassifier_data_file))
+(typeattributeset textservices_service_33_0 (textservices_service))
+(typeattributeset texttospeech_service_33_0 (texttospeech_service))
+(typeattributeset theme_prop_33_0 (theme_prop))
+(typeattributeset thermal_service_33_0 (thermal_service))
+(typeattributeset time_prop_33_0 (time_prop))
+(typeattributeset timedetector_service_33_0 (timedetector_service))
+(typeattributeset timezone_service_33_0 (timezone_service))
+(typeattributeset timezonedetector_service_33_0 (timezonedetector_service))
+(typeattributeset tmpfs_33_0 (tmpfs))
+(typeattributeset tombstone_config_prop_33_0 (tombstone_config_prop))
+(typeattributeset tombstone_data_file_33_0 (tombstone_data_file))
+(typeattributeset tombstone_wifi_data_file_33_0 (tombstone_wifi_data_file))
+(typeattributeset tombstoned_33_0 (tombstoned))
+(typeattributeset tombstoned_crash_socket_33_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_33_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_33_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_33_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_33_0 (toolbox))
+(typeattributeset toolbox_exec_33_0 (toolbox_exec))
+(typeattributeset trace_data_file_33_0 (trace_data_file))
+(typeattributeset traced_33_0 (traced))
+(typeattributeset traced_consumer_socket_33_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_33_0 (traced_enabled_prop))
+(typeattributeset traced_lazy_prop_33_0 (traced_lazy_prop))
+(typeattributeset traced_perf_33_0 (traced_perf))
+(typeattributeset traced_perf_socket_33_0 (traced_perf_socket))
+(typeattributeset traced_probes_33_0 (traced_probes))
+(typeattributeset traced_producer_socket_33_0 (traced_producer_socket))
+(typeattributeset traced_tmpfs_33_0 (traced_tmpfs))
+(typeattributeset traceur_app_33_0 (traceur_app))
+(typeattributeset translation_service_33_0 (translation_service))
+(typeattributeset trust_service_33_0 (trust_service))
+(typeattributeset tty_device_33_0 (tty_device))
+(typeattributeset tun_device_33_0 (tun_device))
+(typeattributeset tv_iapp_service_33_0 (tv_iapp_service))
+(typeattributeset tv_input_service_33_0 (tv_input_service))
+(typeattributeset tv_tuner_resource_mgr_service_33_0 (tv_tuner_resource_mgr_service))
+(typeattributeset tzdatacheck_33_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_33_0 (tzdatacheck_exec))
+(typeattributeset ueventd_33_0 (ueventd))
+(typeattributeset ueventd_tmpfs_33_0 (ueventd_tmpfs))
+(typeattributeset uhid_device_33_0 (uhid_device))
+(typeattributeset uimode_service_33_0 (uimode_service))
+(typeattributeset uio_device_33_0 (uio_device))
+(typeattributeset uncrypt_33_0 (uncrypt))
+(typeattributeset uncrypt_exec_33_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_33_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_33_0 (unencrypted_data_file))
+(typeattributeset unlabeled_33_0 (unlabeled))
+(typeattributeset untrusted_app_25_33_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_33_0 (untrusted_app_27))
+(typeattributeset untrusted_app_29_33_0 (untrusted_app_29))
+(typeattributeset untrusted_app_30_33_0 (untrusted_app_30))
+(typeattributeset untrusted_app_33_0 (untrusted_app))
+(typeattributeset update_engine_33_0 (update_engine))
+(typeattributeset update_engine_data_file_33_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_33_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_33_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_33_0 (update_engine_service))
+(typeattributeset update_engine_stable_service_33_0 (update_engine_stable_service))
+(typeattributeset update_verifier_33_0 (update_verifier))
+(typeattributeset update_verifier_exec_33_0 (update_verifier_exec))
+(typeattributeset updatelock_service_33_0 (updatelock_service))
+(typeattributeset uri_grants_service_33_0 (uri_grants_service))
+(typeattributeset usagestats_service_33_0 (usagestats_service))
+(typeattributeset usb_config_prop_33_0 (usb_config_prop))
+(typeattributeset usb_control_prop_33_0 (usb_control_prop))
+(typeattributeset usb_device_33_0 (usb_device))
+(typeattributeset usb_prop_33_0 (usb_prop))
+(typeattributeset usb_serial_device_33_0 (usb_serial_device))
+(typeattributeset usb_service_33_0 (usb_service))
+(typeattributeset usbaccessory_device_33_0 (usbaccessory_device))
+(typeattributeset usbd_33_0 (usbd))
+(typeattributeset usbd_exec_33_0 (usbd_exec))
+(typeattributeset usbfs_33_0 (usbfs))
+(typeattributeset use_memfd_prop_33_0 (use_memfd_prop))
+(typeattributeset user_profile_data_file_33_0 (user_profile_data_file))
+(typeattributeset user_profile_root_file_33_0 (user_profile_root_file))
+(typeattributeset user_service_33_0 (user_service))
+(typeattributeset userdata_block_device_33_0 (userdata_block_device))
+(typeattributeset userdata_sysdev_33_0 (userdata_sysdev))
+(typeattributeset usermodehelper_33_0 (usermodehelper))
+(typeattributeset userspace_reboot_config_prop_33_0 (userspace_reboot_config_prop))
+(typeattributeset userspace_reboot_exported_prop_33_0 (userspace_reboot_exported_prop))
+(typeattributeset userspace_reboot_metadata_file_33_0 (userspace_reboot_metadata_file))
+(typeattributeset uwb_service_33_0 (uwb_service))
+(typeattributeset vcn_management_service_33_0 (vcn_management_service))
+(typeattributeset vd_device_33_0 (vd_device))
+(typeattributeset vdc_33_0 (vdc))
+(typeattributeset vdc_exec_33_0 (vdc_exec))
+(typeattributeset vehicle_hal_prop_33_0 (vehicle_hal_prop))
+(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
+(typeattributeset vendor_app_file_33_0 (vendor_app_file))
+(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
+(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
+(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
+(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
+(typeattributeset vendor_file_33_0 (vendor_file))
+(typeattributeset vendor_framework_file_33_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_33_0 (vendor_hal_file))
+(typeattributeset vendor_idc_file_33_0 (vendor_idc_file))
+(typeattributeset vendor_init_33_0 (vendor_init))
+(typeattributeset vendor_kernel_modules_33_0 (vendor_kernel_modules))
+(typeattributeset vendor_keychars_file_33_0 (vendor_keychars_file))
+(typeattributeset vendor_keylayout_file_33_0 (vendor_keylayout_file))
+(typeattributeset vendor_misc_writer_33_0 (vendor_misc_writer))
+(typeattributeset vendor_misc_writer_exec_33_0 (vendor_misc_writer_exec))
+(typeattributeset vendor_modprobe_33_0 (vendor_modprobe))
+(typeattributeset vendor_overlay_file_33_0 (vendor_overlay_file))
+(typeattributeset vendor_public_framework_file_33_0 (vendor_public_framework_file))
+(typeattributeset vendor_public_lib_file_33_0 (vendor_public_lib_file))
+(typeattributeset vendor_security_patch_level_prop_33_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_service_contexts_file_33_0 (vendor_service_contexts_file))
+(typeattributeset vendor_shell_33_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_33_0 (vendor_shell_exec))
+(typeattributeset vendor_socket_hook_prop_33_0 (vendor_socket_hook_prop))
+(typeattributeset vendor_task_profiles_file_33_0 (vendor_task_profiles_file))
+(typeattributeset vendor_toolbox_exec_33_0 (vendor_toolbox_exec))
+(typeattributeset vendor_uuid_mapping_config_file_33_0 (vendor_uuid_mapping_config_file))
+(typeattributeset vendor_vm_data_file_33_0 (vendor_vm_data_file))
+(typeattributeset vendor_vm_file_33_0 (vendor_vm_file))
+(typeattributeset vfat_33_0 (vfat))
+(typeattributeset vibrator_manager_service_33_0 (vibrator_manager_service))
+(typeattributeset vibrator_service_33_0 (vibrator_service))
+(typeattributeset video_device_33_0 (video_device))
+(typeattributeset virtual_ab_prop_33_0 (virtual_ab_prop))
+(typeattributeset virtual_device_service_33_0 (virtual_device_service))
+(typeattributeset virtual_touchpad_33_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_33_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_33_0 (virtual_touchpad_service))
+(typeattributeset virtualization_service_33_0 (virtualization_service))
+(typeattributeset vndbinder_device_33_0 (vndbinder_device))
+(typeattributeset vndk_prop_33_0 (vndk_prop))
+(typeattributeset vndk_sp_file_33_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_33_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_33_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_33_0 (voiceinteraction_service))
+(typeattributeset vold_33_0 (vold))
+(typeattributeset vold_config_prop_33_0 (vold_config_prop))
+(typeattributeset vold_data_file_33_0 (vold_data_file))
+(typeattributeset vold_device_33_0 (vold_device))
+(typeattributeset vold_exec_33_0 (vold_exec))
+(typeattributeset vold_metadata_file_33_0 (vold_metadata_file))
+(typeattributeset vold_post_fs_data_prop_33_0 (vold_post_fs_data_prop))
+(typeattributeset vold_prepare_subdirs_33_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_33_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_33_0 (vold_prop))
+(typeattributeset vold_service_33_0 (vold_service))
+(typeattributeset vold_status_prop_33_0 (vold_status_prop))
+(typeattributeset vpn_data_file_33_0 (vpn_data_file))
+(typeattributeset vpn_management_service_33_0 (vpn_management_service))
+(typeattributeset vr_hwc_service_33_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_33_0 (vr_manager_service))
+(typeattributeset vrflinger_vsync_service_33_0 (vrflinger_vsync_service))
+(typeattributeset vts_config_prop_33_0 (vts_config_prop))
+(typeattributeset vts_status_prop_33_0 (vts_status_prop))
+(typeattributeset wallpaper_effects_generation_service_33_0 (wallpaper_effects_generation_service))
+(typeattributeset wallpaper_file_33_0 (wallpaper_file))
+(typeattributeset wallpaper_service_33_0 (wallpaper_service))
+(typeattributeset watchdog_device_33_0 (watchdog_device))
+(typeattributeset watchdog_metadata_file_33_0 (watchdog_metadata_file))
+(typeattributeset watchdogd_33_0 (watchdogd))
+(typeattributeset watchdogd_exec_33_0 (watchdogd_exec))
+(typeattributeset webview_zygote_33_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_33_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_tmpfs_33_0 (webview_zygote_tmpfs))
+(typeattributeset webviewupdate_service_33_0 (webviewupdate_service))
+(typeattributeset wifi_config_prop_33_0 (wifi_config_prop))
+(typeattributeset wifi_data_file_33_0 (wifi_data_file))
+(typeattributeset wifi_hal_prop_33_0 (wifi_hal_prop))
+(typeattributeset wifi_key_33_0 (wifi_key))
+(typeattributeset wifi_log_prop_33_0 (wifi_log_prop))
+(typeattributeset wifi_prop_33_0 (wifi_prop))
+(typeattributeset wifi_service_33_0 (wifi_service))
+(typeattributeset wifiaware_service_33_0 (wifiaware_service))
+(typeattributeset wificond_33_0 (wificond))
+(typeattributeset wificond_exec_33_0 (wificond_exec))
+(typeattributeset wifinl80211_service_33_0 (wifinl80211_service))
+(typeattributeset wifip2p_service_33_0 (wifip2p_service))
+(typeattributeset wifiscanner_service_33_0 (wifiscanner_service))
+(typeattributeset window_service_33_0 (window_service))
+(typeattributeset wpa_socket_33_0 (wpa_socket))
+(typeattributeset wpantund_33_0 (wpantund))
+(typeattributeset wpantund_exec_33_0 (wpantund_exec))
+(typeattributeset wpantund_service_33_0 (wpantund_service))
+(typeattributeset zero_device_33_0 (zero_device))
+(typeattributeset zoneinfo_data_file_33_0 (zoneinfo_data_file))
+(typeattributeset zram_config_prop_33_0 (zram_config_prop))
+(typeattributeset zram_control_prop_33_0 (zram_control_prop))
+(typeattributeset zygote_33_0 (zygote))
+(typeattributeset zygote_config_prop_33_0 (zygote_config_prop))
+(typeattributeset zygote_exec_33_0 (zygote_exec))
+(typeattributeset zygote_socket_33_0 (zygote_socket))
+(typeattributeset zygote_tmpfs_33_0 (zygote_tmpfs))
diff --git a/private/compat/33.0/33.0.compat.cil b/private/compat/33.0/33.0.compat.cil
new file mode 100644
index 0000000..628abfc
--- /dev/null
+++ b/private/compat/33.0/33.0.compat.cil
@@ -0,0 +1 @@
+;; This file can't be empty.
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
new file mode 100644
index 0000000..90e2eaf
--- /dev/null
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -0,0 +1,22 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ apex_ready_prop
+ artd
+ device_config_memory_safety_native_prop
+ device_config_vendor_system_native_prop
+ hal_bootctl_service
+ hal_tv_input_service
+ keystore_config_prop
+ permissive_mte_prop
+ servicemanager_prop
+ system_net_netd_service
+ tuner_config_prop
+ tuner_server_ctl_prop
+ virtual_face_hal_prop
+ virtual_fingerprint_hal_prop
+ ))
diff --git a/private/compos_verify.te b/private/compos_verify.te
index 0a281f8..5b3615e 100644
--- a/private/compos_verify.te
+++ b/private/compos_verify.te
@@ -6,9 +6,10 @@
binder_use(compos_verify);
virtualizationservice_use(compos_verify);
-# Access instance image files
+# Read instance image & write VM logs
allow compos_verify apex_module_data_file:dir search;
-r_dir_file(compos_verify, apex_compos_data_file)
+allow compos_verify apex_compos_data_file:dir rw_dir_perms;
+allow compos_verify apex_compos_data_file:file { rw_file_perms create };
# Read CompOS info & signature files
allow compos_verify apex_art_data_file:dir search;
diff --git a/private/coredomain.te b/private/coredomain.te
index e4c9a52..c041ca3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,3 +1,4 @@
+get_prop(coredomain, apex_ready_prop)
get_prop(coredomain, boot_status_prop)
get_prop(coredomain, camera_config_prop)
get_prop(coredomain, dalvik_config_prop)
@@ -50,6 +51,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-dex2oat
-dexoptanalyzer
-idmap
@@ -67,6 +69,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-dex2oat
-dexoptanalyzer
-idmap
@@ -75,6 +78,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
+ -profman
-rs # spawned by appdomain, so carryover the exception above
userdebug_or_eng(`-simpleperf_boot')
-system_server
@@ -91,8 +95,6 @@
-idmap
-init
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -111,8 +113,6 @@
-idmap
-init
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 90ffeb5..31f0128 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,6 +8,7 @@
-apexd
-bpfloader
-crash_dump
+ -crosvm # TODO(b/236672526): Remove exception for crosvm
-diced
-init
-kernel
@@ -19,7 +20,6 @@
-vold
}:process { ptrace signal sigchld sigstop sigkill };
-# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
userdebug_or_eng(`
allow crash_dump {
apexd
diff --git a/private/crosvm.te b/private/crosvm.te
index e47abd7..f3fc9a8 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -63,8 +63,8 @@
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
-# For ACPI
-allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
+# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
+dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
# compliance tests and demo apps. Write access to instance.img is particularily important because
diff --git a/private/dex2oat.te b/private/dex2oat.te
index e7cdd5f..2ce2459 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -15,7 +15,6 @@
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
-allow dex2oat installd:fd use;
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
@@ -38,12 +37,8 @@
# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
allow dex2oat apex_module_data_file:dir search;
-# Allow dex2oat to use file descriptors passed from odrefresh.
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to use devpts and file descriptors passed from odsign
+# Allow dex2oat to use devpts passed from odsign.
allow dex2oat odsign_devpts:chr_file { read write };
-allow dex2oat odsign:fd use;
# Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area.
@@ -61,6 +56,9 @@
# Allow dex2oat to read /apex/apex-info-list.xml
allow dex2oat apex_info_file:file r_file_perms;
+# Allow dex2oat to use file descriptors passed from privileged programs.
+allow dex2oat { artd installd odrefresh odsign }:fd use;
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/domain.te b/private/domain.te
index 2ef688c..c585613 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -77,6 +77,11 @@
# Read access to bq configuration values
get_prop(domain, bq_config_prop);
+# Allow all domains to check whether MTE is set to permissive mode.
+get_prop(domain, permissive_mte_prop);
+
+get_prop(domain, device_config_memory_safety_native_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -181,8 +186,6 @@
-app_zygote
-dexoptanalyzer
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
@@ -205,7 +208,6 @@
-appdomain
-app_zygote
-installd
- -iorap_prefetcherd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -230,7 +232,6 @@
-system_server
-apexd
-installd
- -iorap_inode2filename
-priv_app
-virtualizationservice
} staging_data_file:dir *;
@@ -243,7 +244,6 @@
-adbd
-kernel
-installd
- -iorap_inode2filename
-priv_app
-shell
-virtualizationservice
@@ -273,7 +273,6 @@
domain
-appdomain
with_asan(`-asan_extract')
- -iorap_prefetcherd
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
@@ -309,6 +308,7 @@
-cppreopts
-dex2oat
-otapreopt_slot
+ -artd
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -320,6 +320,7 @@
-dex2oat
-zygote
-otapreopt_slot
+ -artd
} dalvikcache_data_file:dir no_w_dir_perms;
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
@@ -367,6 +368,7 @@
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
apexd
+ artd
dnsmasq
dumpstate
init
@@ -394,8 +396,6 @@
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
- iorap_inode2filename
- iorap_prefetcherd
traced_perf
traced_probes
heapprofd
@@ -475,8 +475,6 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-init
- -iorap_inode2filename
- -iorap_prefetcherd
-kernel
userdebug_or_eng(`-simpleperf_boot')
-traced_perf
@@ -514,8 +512,6 @@
-crash_dump
-crosvm # loads vendor-specific disk images
-init # starts vendor executables
- -iorap_inode2filename
- -iorap_prefetcherd
-kernel # loads /vendor/firmware
-heapprofd
userdebug_or_eng(`-profcollectd')
@@ -619,7 +615,6 @@
-appdomain
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
- -iorap_inode2filename
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
diff --git a/private/extra_free_kbytes.te b/private/extra_free_kbytes.te
index af3088b..d210884 100644
--- a/private/extra_free_kbytes.te
+++ b/private/extra_free_kbytes.te
@@ -1,3 +1,6 @@
typeattribute extra_free_kbytes coredomain;
init_daemon_domain(extra_free_kbytes)
+
+# Only extra_free_kbytes script is allowed to store these properties
+set_prop(extra_free_kbytes, init_storage_prop)
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 2c65281..c33e044 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -46,3 +46,8 @@
# Needed for reading boot properties.
allow fastbootd proc_bootconfig:file r_file_perms;
')
+
+# io_uring_setup needs ipc_lock and permission to operate anon inodes
+allow fastbootd self:capability ipc_lock;
+
+allow fastbootd self:anon_inode create_file_perms;
diff --git a/private/file.te b/private/file.te
index c4ee2aa..3f5531f 100644
--- a/private/file.te
+++ b/private/file.te
@@ -115,3 +115,8 @@
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
# property labeled.
type sepolicy_test_file, file_type;
+
+# /apex/com.android.art/bin/art_exec
+# This executable does not have its own domain because it is executed in the caller's domain. For
+# example, it is executed in the `artd` domain when artd calls it.
+type art_exec_exec, system_file_type, exec_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index e21c18c..f5d40c8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -268,6 +268,8 @@
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mediaserver32 u:object_r:mediaserver_exec:s0
+/system/bin/mediaserver64 u:object_r:mediaserver_exec:s0
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
@@ -323,24 +325,18 @@
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
-/system/bin/iorapd u:object_r:iorapd_exec:s0
-/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
-/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
-/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/profcollectd u:object_r:profcollectd_exec:s0
/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
+/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -373,7 +369,7 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
+/system/bin/migrate_legacy_obb_data u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
@@ -563,7 +559,8 @@
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
-/data/media(/.*)? u:object_r:media_rw_data_file:s0
+/data/media u:object_r:media_userdir_file:s0
+/data/media/.* u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
@@ -580,6 +577,12 @@
/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
/data/fonts/files(/.*)? u:object_r:font_data_file:s0
+/data/misc_ce u:object_r:system_userdir_file:s0
+/data/misc_de u:object_r:system_userdir_file:s0
+/data/system_ce u:object_r:system_userdir_file:s0
+/data/system_de u:object_r:system_userdir_file:s0
+/data/user u:object_r:system_userdir_file:s0
+/data/user_de u:object_r:system_userdir_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
@@ -649,9 +652,7 @@
/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
-/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
@@ -665,8 +666,10 @@
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
-/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
-/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_ce u:object_r:vendor_userdir_file:s0
+/data/vendor_ce/.* u:object_r:vendor_data_file:s0
+/data/vendor_de u:object_r:vendor_userdir_file:s0
+/data/vendor_de/.* u:object_r:vendor_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
@@ -725,8 +728,17 @@
#############################
# Expanded data files
#
-/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
-/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
+/mnt/expand u:object_r:mnt_expand_file:s0
+# CAREFUL: the two system_data_file patterns below can't be replaced with one
+# pattern "/mnt/expand/[^/]+(/.*)?", since SELinux would prioritize that over
+# "/mnt/expand/[^/]+/user". This is because when a path is matched by two
+# patterns that contain regex meta-characters, SELinux just chooses the longer
+# pattern (or the later pattern if the patterns are the same length), rather
+# than the pattern containing fewer regex meta-characters. Splitting the
+# pattern into "/mnt/expand/[^/]+" and "/mnt/expand/[^/]+/.*" works around this
+# problem, except for 1-character filenames which we aren't using.
+/mnt/expand/[^/]+ u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/.* u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
@@ -734,8 +746,13 @@
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/media u:object_r:media_userdir_file:s0
+/mnt/expand/[^/]+/media/.* u:object_r:media_rw_data_file:s0
/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/mnt/expand/[^/]+/misc_ce u:object_r:system_userdir_file:s0
+/mnt/expand/[^/]+/misc_de u:object_r:system_userdir_file:s0
+/mnt/expand/[^/]+/user u:object_r:system_userdir_file:s0
+/mnt/expand/[^/]+/user_de u:object_r:system_userdir_file:s0
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
@@ -760,9 +777,6 @@
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
-# iorapd per-user data
-/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
-
# Backup service persistent per-user bookkeeping
/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
# Backup service temporary per-user data for inter-change with apps
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 54ecd45..64b595d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -24,7 +24,9 @@
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
+set_prop(flags_health_check, device_config_memory_safety_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 2198c15..8795798 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -5,11 +5,6 @@
app_domain(gmscore_app)
-# TODO(b/217368496): remove this.
-perfetto_producer(gmscore_app)
-can_profile_heap(gmscore_app)
-can_profile_perf(gmscore_app)
-
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 246f936..36d2938 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -41,11 +41,14 @@
# executables/libraries/etc to do stack unwinding.
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
-r_dir_file(heapprofd, apex_art_data_file)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
r_dir_file(heapprofd, shell_test_data_file)
+# ART apex files and directory access to the containing /data/misc/apexdata.
+r_dir_file(heapprofd, apex_art_data_file)
+allow heapprofd apex_module_data_file:dir { getattr search };
+
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index e1fde43..5982ecf 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -7,3 +7,6 @@
set_prop(hwservicemanager, ctl_interface_start_prop)
set_prop(hwservicemanager, hwservicemanager_prop)
+
+# hwservicemanager is using bootstrap bionic
+use_bootstrap_libs(hwservicemanager)
diff --git a/private/init.te b/private/init.te
index 997a184..9e50bd4 100644
--- a/private/init.te
+++ b/private/init.te
@@ -11,6 +11,7 @@
recovery_only(`
# Files in recovery image are labeled as rootfs.
domain_trans(init, rootfs, adbd)
+ domain_trans(init, rootfs, hal_bootctl_server)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, hal_health_server)
diff --git a/private/installd.te b/private/installd.te
index 538641d..9673cfd 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -45,7 +45,7 @@
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
-allow installd staging_data_file:dir { open read remove_name rmdir search write };
+allow installd staging_data_file:dir { open read remove_name rmdir search write getattr };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
deleted file mode 100644
index 5acb262..0000000
--- a/private/iorap_inode2filename.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute iorap_inode2filename coredomain;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
-allow iorap_inode2filename dalvikcache_data_file:file { getattr };
-allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
-allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
-allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
-allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
deleted file mode 100644
index 9ddb512..0000000
--- a/private/iorap_prefecherd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute iorap_prefetcherd coredomain;
-
-init_daemon_domain(iorap_prefetcherd)
-tmpfs_domain(iorap_prefetcherd)
diff --git a/private/iorapd.te b/private/iorapd.te
deleted file mode 100644
index 73acec9..0000000
--- a/private/iorapd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute iorapd coredomain;
-
-init_daemon_domain(iorapd)
-tmpfs_domain(iorapd)
-
-domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
-domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
-
-# Allow iorapd to access the runtime native boot feature flag properties.
-get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/private/keystore.te b/private/keystore.te
index 78c0198..8e681b1 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -26,6 +26,7 @@
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
+# Allow keystore to listen to changing boot levels
get_prop(keystore, keystore_listen_prop)
# Keystore needs to transfer binder references to vold so that it
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index a9a52bb..dc6882b 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -12,6 +12,7 @@
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
# Allow MediaProvider to read/write media_rw_data_file files and dirs
+allow mediaprovider_app media_userdir_file:dir r_dir_perms;
allow mediaprovider_app media_rw_data_file:file create_file_perms;
allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
diff --git a/private/mediatuner.te b/private/mediatuner.te
index 413d2e5..bfb264e 100644
--- a/private/mediatuner.te
+++ b/private/mediatuner.te
@@ -17,6 +17,9 @@
allow mediatuner package_native_service:service_manager find;
binder_call(mediatuner, system_server)
+# Read ro.tuner.lazyhal
+get_prop(mediatuner, tuner_config_prop)
+
###
### neverallow rules
###
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 22482d9..0aed4d3 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -7,22 +7,16 @@
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
-system_server
-adbd
-runas
diff --git a/private/net.te b/private/net.te
index 9e15f41..07e4271 100644
--- a/private/net.te
+++ b/private/net.te
@@ -12,6 +12,7 @@
netdomain
-ephemeral_app
-mediaprovider
+ -priv_app
-sdk_sandbox
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/private/perfetto.te b/private/perfetto.te
index 5897aed..45fa60b 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -110,20 +110,19 @@
data_file_type
-system_data_file
-system_data_root_file
+ -media_userdir_file
+ -system_userdir_file
+ -vendor_userdir_file
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
-neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
neverallow perfetto {
data_file_type
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
diff --git a/private/platform_app.te b/private/platform_app.te
index b723633..f14e52d 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,7 +67,6 @@
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app thermal_service:service_manager find;
-allow platform_app timezone_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
@@ -113,10 +112,6 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(platform_app)
-can_profile_perf(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/private/profman.te b/private/profman.te
index f61d05e..390f83e 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -1 +1,12 @@
typeattribute profman coredomain;
+
+# Allow profman to read APKs and profile files next to them by FDs passed from
+# other programs. In addition, allow profman to acquire flocks on those files.
+allow profman {
+ system_file
+ apk_data_file
+ vendor_app_file
+}:file { getattr read map lock };
+
+# Allow profman to use file descriptors passed from privileged programs.
+allow profman { artd installd }:fd use;
diff --git a/private/property.te b/private/property.te
index 41a4c2f..bb49742 100644
--- a/private/property.te
+++ b/private/property.te
@@ -18,6 +18,7 @@
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_service_status_private_prop)
+system_internal_prop(init_storage_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(keystore_crash_prop)
system_internal_prop(keystore_listen_prop)
@@ -38,6 +39,7 @@
system_internal_prop(snapuserd_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(traced_perf_enabled_prop)
+system_internal_prop(tuner_server_ctl_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(verity_status_prop)
@@ -45,10 +47,10 @@
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
+system_internal_prop(ctl_apex_load_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
-system_restricted_prop(system_user_mode_emulation_prop)
###
### Neverallow rules
@@ -121,7 +123,6 @@
-restorecon_prop
-shell_prop
-system_prop
- -system_user_mode_emulation_prop
-usb_prop
-vold_prop
}:file no_rw_file_perms;
@@ -150,6 +151,12 @@
neverallow {
domain
-init
+ -extra_free_kbytes
+} init_storage_prop:property_service set;
+
+neverallow {
+ domain
+ -init
} init_svc_debug_prop:property_service set;
neverallow {
@@ -630,6 +637,34 @@
} rollback_test_prop:property_service set;
neverallow {
+ domain
+ -init
+ -apexd
+} ctl_apex_load_prop:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -init
+ -dumpstate
+ -apexd
+} ctl_apex_load_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -apexd
+} apex_ready_prop:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -dumpstate
+ -apexd
+ -vendor_init
+} apex_ready_prop:file no_rw_file_perms;
+
+neverallow {
# Only allow init and profcollectd to access profcollectd_node_id_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index 1b2360d..033fd2a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -162,6 +162,8 @@
ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+ctl.apex_load$ u:object_r:ctl_apex_load_prop:s0
+ctl.apex_unload$ u:object_r:ctl_apex_load_prop:s0
# Restrict access to starting/stopping adbd
ctl.start$adbd u:object_r:ctl_adbd_prop:s0
@@ -218,6 +220,9 @@
# heapprofd properties
heapprofd. u:object_r:heapprofd_prop:s0
+# servicemanager properties
+servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
+
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
@@ -257,8 +262,10 @@
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
@@ -273,12 +280,17 @@
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
apexd. u:object_r:apexd_prop:s0
+apexd.config. u:object_r:apexd_config_prop:s0
apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.loop_wait.attempts u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
+# Property that indicates if an apex is ready: apex.<apex-name>.ready
+apex. u:object_r:apex_ready_prop:s0 prefix bool
+
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0 exact bool
gsid. u:object_r:gsid_prop:s0
@@ -352,6 +364,9 @@
# Boolean property used in AudioService to configure whether
# spatializer functionality should be initialized
ro.audio.spatializer_enabled u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioService to configure whether
+# to enable head tracking for spatial audio
+ro.audio.headtracking_enabled u:object_r:audio_config_prop:s0 exact bool
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
@@ -486,6 +501,7 @@
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.gap.le.conn.min.limit u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
@@ -519,6 +535,33 @@
bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.vcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.acl.link_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_type u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_type u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.sniff_max_intervals u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_min_intervals u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_attempts u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_timeouts u:object_r:bluetooth_config_prop:s0 exact string
+
+bluetooth.core.le.min_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_latency u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.direct_connection_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_interval_fast u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_fast u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_2m_fast u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_coded_fast u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_interval_slow u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_slow u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.inquiry_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.inquiry_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
@@ -657,6 +700,7 @@
sys.usb.config. u:object_r:usb_prop:s0
sys.usb.ffs.aio_compat u:object_r:ffs_config_prop:s0 exact bool
+sys.usb.ffs.io_uring_enabled u:object_r:ffs_config_prop:s0 exact bool
sys.usb.ffs.max_read u:object_r:ffs_config_prop:s0 exact int
sys.usb.ffs.max_write u:object_r:ffs_config_prop:s0 exact int
@@ -728,7 +772,8 @@
# GWP-ASan props. Separate from other libc.debug.* props, because we want users
# to be able to set them from `adb shell` even on release devices.
-libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
@@ -739,6 +784,7 @@
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+persist.sys.mte.permissive u:object_r:permissive_mte_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
ro.arch u:object_r:build_prop:s0 exact string
@@ -751,6 +797,7 @@
ro.boot.bootloader u:object_r:bootloader_prop:s0 exact string
ro.boot.boottime u:object_r:bootloader_prop:s0 exact string
ro.boot.console u:object_r:bootloader_prop:s0 exact string
+ro.boot.ddr_size u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware.color u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string
@@ -807,7 +854,8 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
-ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
+ro.force.debuggable u:object_r:build_prop:s0 exact bool
ro.treble.enabled u:object_r:build_prop:s0 exact bool
@@ -834,7 +882,7 @@
ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure u:object_r:build_prop:s0 exact int
+ro.secure u:object_r:userdebug_or_eng_prop:s0 exact int
ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
ro.product.system_ext.device u:object_r:build_prop:s0 exact string
@@ -1061,6 +1109,7 @@
ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.egl_legacy u:object_r:graphics_config_prop:s0 exact string
ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
@@ -1100,6 +1149,9 @@
ro.kernel.qemu. u:object_r:exported_default_prop:s0
ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
+# This property is used by init to store the original value or /proc/sys/vm/watermark_scale_factor
+ro.kernel.watermark_scale_factor u:object_r:init_storage_prop:s0 exact int
+
ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
@@ -1171,6 +1223,7 @@
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_adpf_cpu_hint u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
@@ -1274,6 +1327,9 @@
# Property that tracks keystore crash counts during a boot cycle.
keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+# Configure the means by which we protect the L0 key from the future
+ro.keystore.boot_level_key.strategy u:object_r:keystore_config_prop:s0 exact string
+
partition.system.verified u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
partition.product.verified u:object_r:verity_status_prop:s0 exact string
@@ -1339,3 +1395,41 @@
# virtualization service properties
virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
+
+# properties for the virtual Face HAL
+persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.enrollments u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.features u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_start_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.lockout u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
+
+# properties for the virtual Fingerprint HAL
+persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.enrollment_hit u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.next_enrollment u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.challenge u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_authenticate_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_detect_interaction_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_enroll_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+
+# properties for tuner
+ro.tuner.lazyhal u:object_r:tuner_config_prop:s0 exact bool
+tuner.server.enable u:object_r:tuner_server_ctl_prop:s0 exact bool
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 20d3adf..3f4a49b 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,88 +10,6 @@
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-# Audit the access to signal that we are still investigating whether sdk_sandbox
-# should have access to audio_service
-# TODO(b/211632068): remove this line
-auditallow sdk_sandbox audio_service:service_manager find;
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
diff --git a/private/service_contexts b/private/service_contexts
index 72fa166..1504bac 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,12 +1,15 @@
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
+android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
+android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
+android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
# The instance here is internal/0 following naming convention for ICameraProvider.
# It advertises internal camera devices.
@@ -58,6 +61,7 @@
android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
+android.hardware.tv.input.ITvInput/default u:object_r:hal_tv_input_service:s0
android.hardware.usb.IUsb/default u:object_r:hal_usb_service:s0
android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
@@ -68,6 +72,7 @@
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.se.omapi.ISecureElementService/default u:object_r:secure_element_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
+android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
accessibility u:object_r:accessibility_service:s0
@@ -174,7 +179,6 @@
emergency_affordance u:object_r:emergency_affordance_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
-lowpan u:object_r:lowpan_service:s0
ethernet u:object_r:ethernet_service:s0
face u:object_r:face_service:s0
file_integrity u:object_r:file_integrity_service:s0
@@ -197,7 +201,6 @@
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
installd u:object_r:installd_service:s0
-iorapd u:object_r:iorapd_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
@@ -348,7 +351,6 @@
texttospeech u:object_r:texttospeech_service:s0
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
-timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
translation u:object_r:translation_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 6294452..95a9496 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -5,3 +5,7 @@
read_runtime_log_tags(servicemanager)
set_prop(servicemanager, ctl_interface_start_prop)
+set_prop(servicemanager, servicemanager_prop)
+
+# servicemanager is using bootstrap bionic
+use_bootstrap_libs(servicemanager)
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 2e2c473..1be5a5e 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -53,3 +53,5 @@
-snapuserd
-init
} snapuserd_prop:property_service set;
+
+allow snapuserd self:anon_inode create_file_perms;
diff --git a/private/su.te b/private/su.te
index 587f449..2496473 100644
--- a/private/su.te
+++ b/private/su.te
@@ -27,4 +27,6 @@
# Do not audit accesses to keystore2 namespace for the su domain.
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+ # Allow root to set MTE permissive mode.
+ set_prop(su, permissive_mte_prop);
')
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 123fc69..bb16f20 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -74,13 +74,9 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Allow userspace tracing via perfetto.
+# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
-# Allow to be profiled by performance tools.
-can_profile_heap(surfaceflinger)
-can_profile_perf(surfaceflinger)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_app.te b/private/system_app.te
index 01956f4..822fbb5 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -87,7 +87,6 @@
-dnsresolver_service
-dumpstate_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
@@ -103,7 +102,6 @@
dnsresolver_service
dumpstate_service
installd_service
- iorapd_service
mdns_service
netd_service
virtual_touchpad_service
@@ -113,6 +111,9 @@
# suppress denials caused by debugfs_tracing
dontaudit system_app debugfs_tracing:file rw_file_perms;
+# Ignore access to zram when Debug.getMemInfo is called.
+dontaudit system_app sysfs_zram:dir search;
+
allow system_app keystore:keystore_key {
get_state
get
@@ -176,10 +177,6 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(system_app)
-can_profile_perf(system_app)
-
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index bb02047..ab0bfe0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -15,11 +15,6 @@
userfaultfd_use(system_server)
-# TODO(b/217368496): remove this.
-perfetto_producer(system_server)
-can_profile_heap(system_server)
-can_profile_perf(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -287,6 +282,7 @@
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, appdomain)
+binder_call(system_server, artd)
binder_call(system_server, binderservicedomain)
binder_call(system_server, composd)
binder_call(system_server, dumpstate)
@@ -296,7 +292,6 @@
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
-binder_call(system_server, iorapd)
binder_call(system_server, netd)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
@@ -305,7 +300,6 @@
binder_call(system_server, vold)
binder_call(system_server, logd)
binder_call(system_server, wificond)
-binder_call(system_server, wpantund)
binder_service(system_server)
# Use HALs
@@ -401,6 +395,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_light_server
hal_neuralnetworks_server
hal_omx_server
@@ -495,6 +490,10 @@
allow system_server keychain_data_file:file create_file_perms;
allow system_server keychain_data_file:lnk_file create_file_perms;
+# Read the user parent directories like /data/user. Don't allow write access,
+# as vold is responsible for creating and deleting the subdirectories.
+allow system_server system_userdir_file:dir r_dir_perms;
+
# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
@@ -604,12 +603,9 @@
allow system_server textclassifier_data_file:dir create_dir_perms;
allow system_server textclassifier_data_file:file create_file_perms;
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Allow write access to be able to truncate tombstones.
-allow system_server tombstone_data_file:file write;
+# Manage /data/tombstones.
+allow system_server tombstone_data_file:dir rw_dir_perms;
+allow system_server tombstone_data_file:file create_file_perms;
# Manage /data/misc/vpn.
allow system_server vpn_data_file:dir create_dir_perms;
@@ -619,10 +615,6 @@
allow system_server wifi_data_file:dir create_dir_perms;
allow system_server wifi_data_file:file create_file_perms;
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
# Manage /data/app-staging.
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
@@ -757,7 +749,9 @@
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
# Allow query ART device config properties
@@ -825,6 +819,11 @@
# Read persist.wm.debug. properties
get_prop(system_server, persist_wm_debug_prop)
+# Read ro.tuner.lazyhal
+get_prop(system_server, tuner_config_prop)
+# Write tuner.server.enable
+set_prop(system_server, tuner_server_ctl_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -864,8 +863,8 @@
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
+allow system_server fscklogs:dir { write remove_name add_name };
+allow system_server fscklogs:file rename;
# logd access, system_server inherit logd write socket
# (urge is to deprecate this long term)
@@ -891,6 +890,7 @@
allow system_server sysfs_zram:file rw_file_perms;
add_service(system_server, system_server_service);
+allow system_server artd_service:service_manager find;
allow system_server audioserver_service:service_manager find;
allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
@@ -908,7 +908,6 @@
allow system_server incident_service:service_manager find;
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
-allow system_server iorapd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
@@ -1077,10 +1076,11 @@
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
-# Allow system process to setup and measure fs-verity
-allowxperm system_server apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
+# Allow system process to setup fs-verity
+allowxperm system_server apk_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+
+# Allow system process to measure fs-verity for apps, apps being installed and system files
+allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
# Postinstall
#
@@ -1292,6 +1292,13 @@
device_config_window_manager_native_boot_prop
}:property_service set;
+# Only allow system_server and init to set tuner_server_ctl_prop
+neverallow {
+ domain
+ -system_server
+ -init
+} tuner_server_ctl_prop:property_service set;
+
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
# system server to dynamically load a dex file, something we do not
@@ -1425,6 +1432,8 @@
# Read/Write /proc/pressure/memory
allow system_server proc_pressure_mem:file rw_file_perms;
+# Read /proc/pressure/cpu and /proc/pressure/io
+allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
diff --git a/private/toolbox.te b/private/toolbox.te
index 1e53d72..5878997 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -5,3 +5,8 @@
# rm -rf in /data/misc/virtualizationservice
allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
allow toolbox virtualizationservice_data_file:file { getattr unlink };
+
+# If we can't remove these directories we try to chmod them. That
+# doesn't work, but it doesn't matter as virtualizationservice itself
+# will delete them when it starts. See b/235338094#comment39
+dontaudit toolbox virtualizationservice_data_file:dir setattr;
diff --git a/private/traced.te b/private/traced.te
index a6e200e..3029094 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,7 +1,4 @@
# Perfetto user-space tracing daemon (unprivileged)
-
-# type traced is defined under /public (because iorapd rules
-# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
@@ -41,11 +38,6 @@
binder_use(traced);
binder_call(traced, system_server);
-# Allow iorapd to pass memfd descriptors to traced, so traced can directly
-# write into the shmem buffer file without doing roundtrips over IPC.
-allow traced iorapd:fd use;
-allow traced iorapd_tmpfs:file { read write };
-
# Allow traced to use shared memory supplied by producers. Typically, traced
# (i.e. the tracing service) creates the shared memory used for data transfer
# from the producer. This rule allows an alternative scheme, where the producer
@@ -95,18 +87,17 @@
-perfetto_traces_bugreport_data_file
-system_data_file
-system_data_root_file
+ -media_userdir_file
+ -system_userdir_file
+ -vendor_userdir_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced {
data_file_type
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-trace_data_file
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 96a7263..811bf48 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -28,10 +28,12 @@
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
-r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
+# ART apex files and directory access to the containing /data/misc/apexdata.
+r_dir_file(traced_perf, apex_art_data_file)
+allow traced_perf apex_module_data_file:dir { getattr search };
# Allow to temporarily lift the kptr_restrict setting and build a symbolization
# map reading /proc/kallsyms.
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 66d5ac4..5cc271c 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -83,6 +83,7 @@
proc_meminfo
proc_vmstat
proc_stat
+ proc_buddyinfo
}:file r_file_perms;
# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
@@ -126,6 +127,9 @@
-dalvikcache_data_file
-system_data_file
-system_data_root_file
+ -media_userdir_file
+ -system_userdir_file
+ -vendor_userdir_file
-system_app_data_file
-backup_data_file
-bootstat_data_file
@@ -136,15 +140,11 @@
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
-neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes {
data_file_type
- -zoneinfo_data_file
-packages_list_file
with_native_coverage(`-method_trace_data_file')
-game_mode_intervention_list_file
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
deleted file mode 100644
index 502735c..0000000
--- a/private/tzdatacheck.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 63b095a..56e44db 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -20,4 +20,4 @@
allow untrusted_app sdk_sandbox_data_file:fd use;
allow untrusted_app sdk_sandbox_data_file:file write;
-neverallow untrusted_app sdk_sandbox_data_file:file { open create };
+neverallow untrusted_app sdk_sandbox_data_file:file { open create };
\ No newline at end of file
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 6bb2606..03f3334 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -18,3 +18,4 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index e0a71ef..569c300 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -20,3 +20,4 @@
# allow sending RTM_GETNEIGH{TBL} messages.
allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+
diff --git a/private/update_engine.te b/private/update_engine.te
index c3f575f..8d6341c 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -30,3 +30,7 @@
# capex decompression
allow update_engine apex_service:service_manager find;
binder_call(update_engine, apexd)
+
+# let this domain use the hal service
+binder_use(update_engine)
+hal_client_domain(update_engine, hal_bootctl)
diff --git a/private/update_verifier.te b/private/update_verifier.te
index 5e1b27b..a8cef37 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -7,3 +7,10 @@
# Allow to set the OTA related properties e.g. ota.warm_reset.
set_prop(update_verifier, ota_prop)
+
+# allow update_verifier to connect to snapuserd daemon
+allow update_verifier snapuserd_socket:sock_file write;
+allow update_verifier snapuserd:unix_stream_socket connectto;
+
+# virtual a/b properties
+get_prop(update_verifier, virtual_ab_prop)
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 70b3ef9..acbd84e 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -12,6 +12,9 @@
# Let vendor_init react to AVF device config changes
get_prop(vendor_init, device_config_virtualization_framework_native_prop)
+# Let vendor_init use apex.<name>.ready to start services from vendor APEX
+get_prop(vendor_init, apex_ready_prop)
+
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index c369a90..9ae5308 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -82,3 +82,9 @@
-init
-virtualizationservice
} virtualizationservice_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -virtualizationservice
+} virtualizationservice_data_file:file { open create };
diff --git a/private/vold.te b/private/vold.te
index cb7b1bc..40c1a57 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -66,3 +66,31 @@
-apexd
-gsid
} vold_service:service_manager find;
+
+# Allow vold to create and delete per-user directories like /data/user/$userId.
+allow vold {
+ media_userdir_file
+ system_userdir_file
+ vendor_userdir_file
+}:dir {
+ add_name
+ remove_name
+ write
+};
+
+# Only vold should create (and delete) per-user directories like
+# /data/user/$userId. This is very important, as these directories need to be
+# encrypted with per-user keys, which only vold can do. Encryption can only be
+# set up on empty directories, so creation and encryption must happen together.
+neverallow {
+ domain
+ -vold
+} {
+ media_userdir_file
+ system_userdir_file
+ vendor_userdir_file
+}:dir {
+ add_name
+ remove_name
+ write
+};
diff --git a/private/wpantund.te b/private/wpantund.te
deleted file mode 100644
index e91662c..0000000
--- a/private/wpantund.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute wpantund coredomain;
-
-init_daemon_domain(wpantund)
diff --git a/private/zygote.te b/private/zygote.te
index 41245c2..0df84db 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -36,6 +36,9 @@
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
+# Get attributes of /mnt/expand, needed by cacheNonBootClasspathClassLoaders.
+allow zygote mnt_expand_file:dir getattr;
+
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
@@ -59,45 +62,53 @@
allow zygote apex_art_data_file:dir { getattr search };
allow zygote apex_art_data_file:file { r_file_perms execute };
-# Bind mount on /data/data and mounted volumes
-allow zygote { system_data_file mnt_expand_file }:dir mounton;
+# Mount tmpfs over various directories containing per-app directories, to hide
+# them for app data isolation. Also traverse these directories (via
+# /data_mirror) to find the allowlisted per-app directories to bind-mount in.
+allow zygote {
+ # /data/user{,_de}, /mnt/expand/$volume/user{,_de}
+ system_userdir_file
+ # /data/data
+ system_data_file
+ # /data/misc/profiles/cur
+ user_profile_root_file
+ # /data/misc/profiles/ref
+ user_profile_data_file
+ # /storage/emulated/$userId/Android/{data,obb}
+ media_rw_data_file
+}:dir { mounton search };
-# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
-allow zygote tmpfs:{ dir lnk_file } relabelfrom;
-allow zygote system_data_file:{ dir lnk_file } relabelto;
-allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
+# Traverse /data_mirror to get to the above directories while their normal paths
+# are hidden, in order to bind-mount allowlisted per-app directories.
+allow zygote mirror_data_file:dir search;
-# Zygote opens /mnt/expand to mount CE DE storage on each vol
-allow zygote mnt_expand_file:dir { open read search relabelto };
+# List /mnt/expand to find all /mnt/expand/$volume/user{,_de} directories that
+# need to be hidden by app data isolation, and traverse /mnt/expand to get to
+# any allowlisted per-app directories within these directories.
+allow zygote mnt_expand_file:dir { open read search };
-# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
-allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
+# Get the inode number of app CE data directories to find them by inode number
+# when CE storage is locked. Needed for app data isolation.
+allow zygote app_data_file_type:dir getattr;
-# Create and bind dirs on /data/data
+# Create dirs in the app data isolation tmpfs mounts and bind mount on them.
allow zygote tmpfs:dir { create_dir_perms mounton };
-# Goes into media directory and bind mount obb directory
-allow zygote media_rw_data_file:dir { getattr search };
+# Create the '/data/user/0 => /data/data' symlink in the /data/user tmpfs mount
+# when setting up app data isolation.
+allow zygote tmpfs:lnk_file create;
-# Bind mount on top of existing mounted obb and data directory
-allow zygote media_rw_data_file:dir { mounton };
+# Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their
+# standard labels. Note: it seems that not all dirs are actually relabeled yet,
+# but it works anyway since all domains can search tmpfs:dir.
+allow zygote tmpfs:{ dir lnk_file } relabelfrom;
+allow zygote system_userdir_file:dir relabelto;
+allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search };
# Read if sdcardfs is supported
allow zygote proc_filesystems:file r_file_perms;
-# Create symlink for /data/user/0
-allow zygote tmpfs:lnk_file create;
-
-allow zygote mirror_data_file:dir r_dir_perms;
-
-# Get inode of directories for app data isolation
-allow zygote {
- app_data_file_type
- system_data_file
- mnt_expand_file
- sdk_sandbox_system_data_file
-}:dir getattr;
-
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute;
@@ -229,6 +240,10 @@
# Allow zygote to read qemu.sf.lcd_density
get_prop(zygote, qemu_sf_lcd_density_prop)
+# Allow zygote to read persist.wm.debug.* to toggle experimental window manager features in
+# preloaded classes
+get_prop(zygote, persist_wm_debug_prop)
+
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
diff --git a/public/artd.te b/public/artd.te
new file mode 100644
index 0000000..0731adc
--- /dev/null
+++ b/public/artd.te
@@ -0,0 +1,2 @@
+# ART service daemon.
+type artd, domain;
diff --git a/public/attributes b/public/attributes
index 742264a..aeed208 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,9 +7,6 @@
# in tools/checkfc.c
attribute dev_type;
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute bdev_type;
-
# Attribute for all bpf filesystem subtypes.
attribute bpffs_type;
@@ -74,9 +71,6 @@
# All types used for sysfs files.
attribute sysfs_type;
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute sysfs_block_type;
-
# All types use for debugfs files.
attribute debugfs_type;
@@ -173,12 +167,6 @@
# services which are explicitly disallowed for untrusted apps to access
attribute protected_service;
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/public/domain.te b/public/domain.te
index 8e1fcf7..11a14c5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,7 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop)
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -129,6 +130,7 @@
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
+get_prop({domain - untrusted_app_all }, userdebug_or_eng_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
@@ -227,11 +229,10 @@
# read and stat any sysfs symlinks
allow domain sysfs:lnk_file { getattr read };
-# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
-# timezone related information.
+# libc references /system/usr/share/zoneinfo for timezone related information.
# This directory is considered to be a VNDK-stable
-allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
-allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
+allow domain { system_zoneinfo_file }:file r_file_perms;
+allow domain { system_zoneinfo_file }:dir r_dir_perms;
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)
@@ -243,16 +244,30 @@
allow domain sysfs_transparent_hugepage:dir search;
allow domain sysfs_transparent_hugepage:file r_file_perms;
-# files under /data.
+# Allow search access, and sometimes getattr access, to various directories
+# under /data. We are fairly lenient in allowing search access to top-level
+# dirs that commonly need to be traversed to get access to the "real" files, as
+# this greatly simplifies the policy and doesn't open up much attack surface.
not_full_treble(`
allow domain system_data_file:dir getattr;
')
allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_root_file for path traversal to /data/vendor.
+# Anything that accesses anything in /data needs search access to /data itself.
+# This includes vendor components, as they need to access /data/vendor.
allow domain system_data_root_file:dir { search getattr } ;
+# system_data_file is the default type for directories in /data. Anything
+# accessing data files with a more specific type often has to traverse a
+# system_data_file directory such as /data/misc to get there.
allow domain system_data_file:dir search;
+# Anything that accesses files in /data/user (and /data/user_de, etc.) needs
+# search access to these directories themselves. getattr access is sometimes
+# needed too.
+allow { coredomain appdomain } system_userdir_file:dir { search getattr };
+# Anything that accesses files in /data/media needs search access to /data/media
+# itself.
+allow { coredomain appdomain } media_userdir_file:dir search;
# TODO restrict this to non-coredomain
+allow domain vendor_userdir_file:dir { getattr search };
allow domain vendor_data_file:dir { getattr search };
# required by the dynamic linker
@@ -563,6 +578,7 @@
neverallow { domain -init } aac_drc_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
+neverallow { domain -init } userdebug_or_eng_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
# a few allowed domains.
@@ -626,22 +642,6 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
-full_treble_only(`
- # vendor services cant add system services
- neverallow {
- domain
- -coredomain
- } {
- service_manager_type
- -vendor_service
- }:service_manager add;
-')
-
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
@@ -654,9 +654,10 @@
service_manager_type
-app_api_service
- -vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
+ -hal_service_type # see app_neverallows.te
+
-apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
@@ -822,11 +823,6 @@
-vendor_init
} {
core_data_file_type
- # libc includes functions like mktime and localtime which attempt to access
- # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
- # These functions are considered vndk-stable and thus must be allowed for
- # all processes.
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
neverallow {
@@ -835,7 +831,6 @@
} {
core_data_file_type
-unencrypted_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
@@ -854,8 +849,8 @@
core_data_file_type
-system_data_file # default label for files on /data. Covered below...
-system_data_root_file
+ -vendor_userdir_file
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow {
@@ -866,8 +861,8 @@
-unencrypted_data_file
-system_data_file
-system_data_root_file
+ -vendor_userdir_file
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
@@ -935,8 +930,6 @@
-system_lib_file
-system_linker_exec
-crash_dump_exec
- -iorap_prefetcherd_exec
- -iorap_inode2filename_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };
@@ -1004,7 +997,6 @@
system_file_type
-crash_dump_exec
-file_contexts_file
- -iorap_inode2filename_exec
-netutils_wrapper_exec
-property_contexts_file
-system_event_log_tags_file
@@ -1177,7 +1169,6 @@
-dumpstate
-init
-installd
- -iorap_inode2filename
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
@@ -1227,11 +1218,12 @@
neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
# Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
+# it from installd and artd forked processes.
neverallow {
domain
-installd
-profman
+ -artd
} profman_exec:file no_x_file_perms;
# Enforce restrictions on kernel module origin.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c75f30..a2d2417 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -87,6 +87,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
@@ -112,6 +113,9 @@
sysfs_zram
}:file r_file_perms;
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
@@ -143,21 +147,28 @@
binder_call(dumpstate, { appdomain netd wificond })
# Allow dumpstate to call dump() on specific hals.
+dump_hal(hal_authsecret)
+dump_hal(hal_contexthub)
+dump_hal(hal_drm)
dump_hal(hal_dumpstate)
-dump_hal(hal_wifi)
-dump_hal(hal_graphics_allocator)
-dump_hal(hal_light)
-dump_hal(hal_neuralnetworks)
-dump_hal(hal_nfc)
-dump_hal(hal_thermal)
-dump_hal(hal_power)
-dump_hal(hal_power_stats)
-dump_hal(hal_identity)
dump_hal(hal_face)
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
-dump_hal(hal_contexthub)
-dump_hal(hal_drm)
+dump_hal(hal_graphics_allocator)
+dump_hal(hal_identity)
+dump_hal(hal_input_processor)
+dump_hal(hal_keymint)
+dump_hal(hal_light)
+dump_hal(hal_memtrack)
+dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
+dump_hal(hal_oemlock)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+dump_hal(hal_rebootescrow)
+dump_hal(hal_thermal)
+dump_hal(hal_weaver)
+dump_hal(hal_wifi)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
@@ -309,9 +320,6 @@
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
-# Allow dumpstate to talk to iorapd over binder.
-binder_call(dumpstate, iorapd)
-
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
@@ -331,6 +339,7 @@
mnt_vendor_file
mirror_data_file
mnt_user_file
+ mnt_product_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
@@ -345,31 +354,6 @@
# Allow dumpstate to talk to mediaswcodec over binder
binder_call(dumpstate, mediaswcodec);
-# Allow dumpstate to talk to these stable AIDL services over binder
-binder_call(dumpstate, hal_rebootescrow_server)
-allow hal_rebootescrow_server dumpstate:fifo_file write;
-allow hal_rebootescrow_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_authsecret_server)
-allow hal_authsecret_server dumpstate:fifo_file write;
-allow hal_authsecret_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_keymint_server)
-allow hal_keymint_server dumpstate:fifo_file write;
-allow hal_keymint_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_memtrack_server)
-allow hal_memtrack_server dumpstate:fifo_file write;
-allow hal_memtrack_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_oemlock_server)
-allow hal_oemlock_server dumpstate:fifo_file write;
-allow hal_oemlock_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_weaver_server)
-allow hal_weaver_server dumpstate:fifo_file write;
-allow hal_weaver_server dumpstate:fd use;
-
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
diff --git a/public/e2fs.te b/public/e2fs.te
index dd5bd69..20f70d9 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -9,7 +9,7 @@
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
};
allow e2fs {
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 0c43a89..68cb9e0 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -103,6 +103,13 @@
allow fastbootd tmpfs:dir rw_dir_perms;
# Fetch vendor_boot partition
allow fastbootd boot_block_device:blk_file r_file_perms;
+
+ # popen(/system/bin/dmesg) and associated permissions. We only allow this
+ # on unlocked devices running userdebug builds.
+ allow fastbootd rootfs:file execute_no_trans;
+ allow fastbootd system_file:file execute_no_trans;
+ allow fastbootd kmsg_device:chr_file read;
+ allow fastbootd kernel:system syslog_read;
')
# Allow using libfiemap/gsid directly (no binder in recovery).
diff --git a/public/file.te b/public/file.te
index 2bfa282..eb55210 100644
--- a/public/file.te
+++ b/public/file.te
@@ -300,13 +300,20 @@
type system_data_root_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
+# Default type for directories containing per-user encrypted directories, such
+# as /data/user and /data/user_de.
+type system_userdir_file, file_type, data_file_type, core_data_file_type;
# Type for /data/system/packages.list.
# TODO(b/129332765): Narrow down permissions to this.
# Find out users of system_data_file that should be granted only this.
type packages_list_file, file_type, data_file_type, core_data_file_type;
type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data/vendor{_ce,_de}.
+# Default type for anything inside /data/vendor_{ce,de}.
type vendor_data_file, file_type, data_file_type;
+# Type for /data/vendor_{ce,de} themselves. This has core_data_file_type
+# because these directories themselves are platform-managed; only the files
+# *inside* them are vendor data. (Somewhat similar to system_data_root_file.)
+type vendor_userdir_file, file_type, data_file_type, core_data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# installd-create files in /data/misc/installd such as layout_version
@@ -428,6 +435,7 @@
type keystore_data_file, file_type, data_file_type, core_data_file_type;
type media_data_file, file_type, data_file_type, core_data_file_type;
type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type media_userdir_file, file_type, data_file_type, core_data_file_type;
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
@@ -443,9 +451,7 @@
type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
-type iorapd_data_file, file_type, data_file_type, core_data_file_type;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/fsck.te b/public/fsck.te
index 1fb5d0d..4fb3817 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -32,6 +32,7 @@
allowxperm fsck dev_type:blk_file ioctl {
BLKDISCARDZEROES
BLKROGET
+ BLKREPORTZONE
};
# To determine if it is safe to run fsck on a filesystem, e2fsck
@@ -48,8 +49,10 @@
allow fsck {
proc_mounts
proc_swaps
+ sysfs_dm
}:file r_file_perms;
allow fsck rootfs:dir r_dir_perms;
+allow fsck sysfs_dm:dir r_dir_perms;
###
### neverallow rules
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index a1f3d7f..f9b50b0 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -1,6 +1,10 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)
+binder_use(hal_bootctl_server)
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
allow hal_bootctl_server proc_bootconfig:file r_file_perms;
+
+# Needed to wait for AIDL hal services
+hal_attribute_service(hal_bootctl, hal_bootctl_service);
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 069da47..29bab48 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -42,7 +42,6 @@
data_file_type
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
- -zoneinfo_data_file # granted to domain
with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 72fa308..43d0a7c 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -26,6 +26,12 @@
allow hal_drm cgroup_v2:dir { search write };
allow hal_drm cgroup_v2:file w_file_perms;
+# Allow dumpsys Widevine without root
+userdebug_or_eng(`
+ allow hal_drm_server shell:fd use;
+ allow hal_drm_server shell:fifo_file write;
+')
+
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index aee283a..193b05a 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -13,3 +13,6 @@
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
allow hal_dumpstate proc_interrupts:file r_file_perms;
+
+# Log fsck results
+r_dir_file(hal_dumpstate, fscklogs)
diff --git a/public/hal_input_processor.te b/public/hal_input_processor.te
index 77d1d70..b59b15f 100644
--- a/public/hal_input_processor.te
+++ b/public/hal_input_processor.te
@@ -3,3 +3,6 @@
binder_call(hal_input_processor_server, servicemanager)
hal_attribute_service(hal_input_processor, hal_input_processor_service)
+
+# Allow dumping of the HAL
+allow hal_input_processor_server dumpstate:fifo_file write;
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 04d0b59..c7049fd 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -7,6 +7,8 @@
allow hal_neuralnetworks hal_allocator:fd use;
allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
allow hal_neuralnetworks hal_graphics_allocator:fd use;
+allow hal_neuralnetworks gpu_device:chr_file rw_file_perms;
+allow hal_neuralnetworks gpu_device:dir r_dir_perms;
# Allow NN HAL service to use a client-provided fd residing in /data/data/.
allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 5a5bdda..b345189 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -3,3 +3,7 @@
binder_call(hal_tv_input_server, hal_tv_input_client)
hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
+hal_attribute_service(hal_tv_input, hal_tv_input_service)
+
+binder_call(hal_tv_input_server, servicemanager)
+binder_call(hal_tv_input_client, servicemanager)
diff --git a/public/idmap.te b/public/idmap.te
index f41f573..76ef622 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,15 +2,10 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
-# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
-# Use open file to /data/resource-cache file inherited from installd.
-allow idmap installd:fd use;
+# Allow read + write access to /data/resource-cache
allow idmap resourcecache_data_file:file create_file_perms;
allow idmap resourcecache_data_file:dir rw_dir_perms;
-# Ignore reading /proc/<pid>/maps after a fork.
-dontaudit idmap installd:file read;
-
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
diff --git a/public/init.te b/public/init.te
index ce0d130..d99172f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -212,10 +212,10 @@
allow init {
file_type
-app_data_file
- -exec_type
- -iorapd_data_file
-credstore_data_file
+ -exec_type
-keystore_data_file
+ -media_userdir_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
@@ -223,7 +223,9 @@
-system_app_data_file
-system_dlkm_file_type
-system_file_type
+ -system_userdir_file
-vendor_file_type
+ -vendor_userdir_file
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
@@ -233,7 +235,6 @@
-app_data_file
-exec_type
-gsi_data_file
- -iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
@@ -251,12 +252,15 @@
allow init tracefs_type:file { create_file_perms relabelfrom };
+# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
+# subcontext for action/service defined in APEXes.
+allow init apex_info_file:file r_file_perms;
+
allow init {
file_type
-app_data_file
-exec_type
-gsi_data_file
- -iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
@@ -276,7 +280,6 @@
-app_data_file
-exec_type
-gsi_data_file
- -iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
diff --git a/public/installd.te b/public/installd.te
index 46796af..216704d 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -42,13 +42,12 @@
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;
-# Create /data/user and /data/user/0 if necessary.
-# Also required to initially create /data/data subdirectories
+# Required to initially create subdirectories of /data/user/$userId
# and lib symlinks before the setfilecon call. May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir create_dir_perms;
-# Also, allow read for lnk_file so that we can process /data/user/0 links when
-# optimizing application code.
+# Also, allow read for lnk_file so that we can process symlinks within
+# /data/user/$userId when optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
# Manage lower filesystem via pass_through mounts
@@ -62,6 +61,7 @@
allow installd media_rw_data_file:dir relabelto;
# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd media_userdir_file:dir r_dir_perms;
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
@@ -71,6 +71,7 @@
allow installd mirror_data_file:dir { create_dir_perms mounton };
# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd system_userdir_file:dir r_dir_perms;
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;
allow installd keychain_data_file:dir create_dir_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index d46e485..e900173 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,6 +132,7 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_GET_EXTENDED_ERROR', `0xc0486211')
define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
define(`BINDER_FREEZE', `0x400c620e')
define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
@@ -165,6 +166,8 @@
define(`BLKPG', `0x00001269')
define(`BLKRAGET', `0x00001263')
define(`BLKRASET', `0x00001262')
+define(`BLKREPORTZONE', `0xc0101282')
+define(`BLKRESETZONE', `0x40101283')
define(`BLKROGET', `0x0000125e')
define(`BLKROSET', `0x0000125d')
define(`BLKROTATIONAL', `0x0000127e')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 47a5157..64ee1b0 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -73,4 +73,5 @@
BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
+BINDER_GET_EXTENDED_ERROR
}')
diff --git a/public/iorap.te b/public/iorap.te
new file mode 100644
index 0000000..0671c34
--- /dev/null
+++ b/public/iorap.te
@@ -0,0 +1,4 @@
+# Define these types for now, as they may be used in device-specific policy.
+type iorapd;
+type iorap_inode2filename;
+type iorap_prefetcherd;
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
deleted file mode 100644
index 6f119ee..0000000
--- a/public/iorap_inode2filename.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# iorap.inode2filename -> look up file paths from an inode
-type iorap_inode2filename, domain;
-type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
-type iorap_inode2filename_tmpfs, file_type;
-
-r_dir_file(iorap_inode2filename, rootfs)
-
-# Allow usage of pipes (child stdout -> parent pipe).
-allow iorap_inode2filename iorapd:fd use;
-allow iorap_inode2filename iorapd:fifo_file { read write getattr };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_inode2filename self:capability dac_read_search;
-
-typeattribute iorap_inode2filename mlstrustedsubject;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename apex_data_file:dir { getattr open read search };
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
-allow iorap_inode2filename apex_mnt_dir:file { getattr };
-allow iorap_inode2filename apk_data_file:dir { getattr open read search };
-allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
-allow iorap_inode2filename app_data_file_type:file { getattr };
-allow iorap_inode2filename backup_data_file:dir { getattr open read search };
-allow iorap_inode2filename backup_data_file:file { getattr };
-allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
-allow iorap_inode2filename bootchart_data_file:file { getattr };
-allow iorap_inode2filename metadata_file:dir { getattr open read search search };
-allow iorap_inode2filename metadata_file:file { getattr };
-allow iorap_inode2filename packages_list_file:dir { getattr open read search };
-allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename property_data_file:dir { getattr open read search };
-allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
-allow iorap_inode2filename resourcecache_data_file:file { getattr };
-allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:file { getattr };
-allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
-allow iorap_inode2filename same_process_hal_file:file { getattr };
-allow iorap_inode2filename sepolicy_file:file { getattr };
-allow iorap_inode2filename staging_data_file:dir { getattr open read search };
-allow iorap_inode2filename staging_data_file:file { getattr };
-allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
-allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_data_file:file { getattr };
-allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
-allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:file { getattr };
-allow iorap_inode2filename toolbox_exec:file getattr;
-allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:file { getattr };
-allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
-allow iorap_inode2filename unlabeled:file { getattr };
-allow iorap_inode2filename vendor_file:dir { getattr open read search };
-allow iorap_inode2filename vendor_file:file { getattr };
-allow iorap_inode2filename vendor_overlay_file:file { getattr };
-allow iorap_inode2filename zygote_exec:file { getattr };
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
-neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
deleted file mode 100644
index 4b218fb..0000000
--- a/public/iorap_prefetcherd.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# volume manager
-type iorap_prefetcherd, domain;
-type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
-type iorap_prefetcherd_tmpfs, file_type;
-
-r_dir_file(iorap_prefetcherd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
-
-# iorap_prefetcherd temporarily changes its priority when running benchmarks
-allow iorap_prefetcherd self:global_capability_class_set sys_nice;
-
-# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
-allow iorap_prefetcherd iorapd:fd use;
-allow iorap_prefetcherd iorapd:fifo_file { read write };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_prefetcherd self:capability dac_read_search;
-
-typeattribute iorap_prefetcherd mlstrustedsubject;
-
-# Grant logcat access
-allow iorap_prefetcherd logcat_exec:file { open read };
-
-# Grant access to open most of the files under /
-allow iorap_prefetcherd apk_data_file:dir { open read search };
-allow iorap_prefetcherd apk_data_file:file { open read };
-allow iorap_prefetcherd app_data_file:dir { open read search };
-allow iorap_prefetcherd app_data_file:file { open read };
-allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
-allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
-allow iorap_prefetcherd packages_list_file:dir { open read search };
-allow iorap_prefetcherd packages_list_file:file { open read };
-allow iorap_prefetcherd privapp_data_file:dir { open read search };
-allow iorap_prefetcherd privapp_data_file:file { open read };
-allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
-allow iorap_prefetcherd same_process_hal_file:file { open read };
-allow iorap_prefetcherd system_data_file:dir { open read search };
-allow iorap_prefetcherd system_data_file:file { open read };
-allow iorap_prefetcherd system_data_file:lnk_file { open read };
-allow iorap_prefetcherd user_profile_root_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:file { open read };
-allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
-allow iorap_prefetcherd vendor_overlay_file:file { open read };
-# Note: Do not add any /vendor labels because they can be customized
-# by the vendor and we won't know about them beforehand.
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
-neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/iorapd.te b/public/iorapd.te
deleted file mode 100644
index 8fded0c..0000000
--- a/public/iorapd.te
+++ /dev/null
@@ -1,94 +0,0 @@
-# volume manager
-type iorapd, domain;
-type iorapd_exec, exec_type, file_type, system_file_type;
-type iorapd_tmpfs, file_type;
-
-r_dir_file(iorapd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorapd proc_drop_caches:file rw_file_perms;
-
-# Give iorapd a place where only iorapd can store files; everyone else is off limits
-allow iorapd iorapd_data_file:dir create_dir_perms;
-allow iorapd iorapd_data_file:file create_file_perms;
-
-# Allow iorapd to publish a binder service and make binder calls.
-binder_use(iorapd)
-add_service(iorapd, iorapd_service)
-
-# Allow iorapd to call into the system server so it can check permissions.
-binder_call(iorapd, system_server)
-allow iorapd permission_service:service_manager find;
-# IUserManager
-allow iorapd user_service:service_manager find;
-# IPackageManagerNative
-allow iorapd package_native_service:service_manager find;
-# Allow dumpstate (bugreport) to call into iorapd.
-allow iorapd dumpstate:fd use;
-allow iorapd dumpstate:fifo_file write;
-
-# TODO: does each of the service_manager allow finds above need the binder_call?
-
-# iorapd temporarily changes its priority when running benchmarks
-allow iorapd self:global_capability_class_set sys_nice;
-
-# Allow to access Perfetto traced's privileged consumer socket to start/stop
-# tracing sessions and read trace data.
-unix_socket_connect(iorapd, traced_consumer, traced)
-
-# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
-allow iorapd system_file:file rx_file_perms;
-
-# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
-allow iorapd iorap_inode2filename:process signull;
-allow iorapd iorap_prefetcherd:process signull;
-
-# Allowing system_server to check for the existence and size of files under iorapd
-# dir without collecting any sensitive app data.
-# This is used to predict if iorapd is doing prefetching or not.
-allow system_server iorapd_data_file:dir { getattr open read search };
-allow system_server iorapd_data_file:file getattr;
-
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -iorapd
-} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-
-neverallow {
- domain
- -init
- -iorapd
- -system_server
-} iorapd_data_file:dir *;
-
-neverallow {
- domain
- -kernel
- -iorapd
-} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -kernel
- -vendor_init
- -iorapd
- -system_server
-} { iorapd_data_file }:notdevfile_class_set *;
-
-# Only system_server and shell (for dumpsys) can interact with iorapd over binder
-neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
-neverallow iorapd {
- domain
- -servicemanager
- -system_server
- userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ udp_socket rawip_socket } *;
-neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/kernel.te b/public/kernel.te
index 09d2480..b01c07ad 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -95,10 +95,10 @@
staging_data_file
vendor_apex_file
}:file read;
-# Also allow the kernel to read /data/local/tmp files via loop device
-# for ApexTestCases
+# Also allow the kernel to read/write /data/local/tmp files via loop device
+# for ApexTestCases and fiemap_image_test.
userdebug_or_eng(`
- allow kernel shell_data_file:file read;
+ allow kernel shell_data_file:file { read write };
')
# Allow the first-stage init (which is running in the kernel domain) to execute the
diff --git a/public/keystore.te b/public/keystore.te
index e1c58a4..8ac503e 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -48,3 +48,6 @@
# The software KeyMint implementation used in km_compat needs
# to read the vendor security patch level.
get_prop(keystore, vendor_security_patch_level_prop);
+
+# Allow keystore to read its vendor configuration
+get_prop(keystore, keystore_config_prop)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1315b8f..44786fc 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -67,7 +67,6 @@
# descriptor opened outside the process.
neverallow mediaextractor {
data_file_type
- -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
with_native_coverage(`-method_trace_data_file')
}:file open;
diff --git a/public/netd.te b/public/netd.te
index 7c7655e..9b8fdb0 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -111,6 +111,10 @@
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
+# AIDL hal server
+binder_call(system_net_netd_service, servicemanager)
+add_service(netd, system_net_netd_service)
+
###
### Neverallow rules
###
diff --git a/public/profman.te b/public/profman.te
index c014d79..727daee 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -14,8 +14,6 @@
allow profman tmpfs:file { read map };
allow profman profman_dump_data_file:file { write map };
-allow profman installd:fd use;
-
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
diff --git a/public/property.te b/public/property.te
index a235634..80df624 100644
--- a/public/property.te
+++ b/public/property.te
@@ -52,6 +52,7 @@
# Properties which can't be written outside system
system_restricted_prop(aac_drc_prop)
+system_restricted_prop(apex_ready_prop)
system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
@@ -68,9 +69,11 @@
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_vendor_system_native_boot_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(userdebug_or_eng_prop)
system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
@@ -82,6 +85,7 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
+system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
system_restricted_prop(sqlite_log_prop)
@@ -148,6 +152,7 @@
system_vendor_config_prop(hw_timeout_multiplier_prop)
system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(keyguard_config_prop)
+system_vendor_config_prop(keystore_config_prop)
system_vendor_config_prop(lmkd_config_prop)
system_vendor_config_prop(media_config_prop)
system_vendor_config_prop(media_variant_prop)
@@ -178,6 +183,7 @@
system_vendor_config_prop(zram_config_prop)
system_vendor_config_prop(zygote_config_prop)
system_vendor_config_prop(dck_prop)
+system_vendor_config_prop(tuner_config_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
@@ -193,6 +199,7 @@
system_public_prop(ctl_stop_prop)
system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
+system_public_prop(device_config_memory_safety_native_prop)
system_public_prop(dumpstate_options_prop)
system_public_prop(exported_system_prop)
system_public_prop(exported_bluetooth_prop)
@@ -212,6 +219,7 @@
system_public_prop(lowpan_prop)
system_public_prop(nfc_prop)
system_public_prop(ota_prop)
+system_public_prop(permissive_mte_prop)
system_public_prop(powerctl_prop)
system_public_prop(qemu_hw_prop)
system_public_prop(qemu_sf_lcd_density_prop)
@@ -220,6 +228,7 @@
system_public_prop(serialno_prop)
system_public_prop(surfaceflinger_color_prop)
system_public_prop(system_prop)
+system_public_prop(system_user_mode_emulation_prop)
system_public_prop(telephony_status_prop)
system_public_prop(usb_control_prop)
system_public_prop(vold_post_fs_data_prop)
@@ -234,6 +243,12 @@
# Properties used in default HAL implementations
vendor_internal_prop(rebootescrow_hal_prop)
+# Properties used in the default Face HAL implementations
+vendor_internal_prop(virtual_face_hal_prop)
+
+# Properties used in the default Fingerprint HAL implementations
+vendor_internal_prop(virtual_fingerprint_hal_prop)
+
vendor_public_prop(persist_vendor_debug_wifi_prop)
# Properties which are public for devices launching with Android O or earlier
diff --git a/public/service.te b/public/service.te
index e862b40..4bd5e65 100644
--- a/public/service.te
+++ b/public/service.te
@@ -19,7 +19,6 @@
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type idmap_service, service_manager_type;
-type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
@@ -45,6 +44,7 @@
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_net_netd_service, service_manager_type;
type system_suspend_control_internal_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
@@ -122,7 +122,6 @@
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, app_api_service, system_server_service, service_manager_type;
@@ -228,7 +227,6 @@
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, app_api_service, system_server_service, service_manager_type;
-type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
@@ -259,7 +257,6 @@
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
-type wpantund_service, system_api_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type emergency_affordance_service, system_server_service, service_manager_type;
@@ -267,49 +264,51 @@
### HAL Services
###
-type hal_audio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_audiocontrol_service, vendor_service, hal_service_type, service_manager_type;
-type hal_authsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_camera_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_contexthub_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_dice_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_drm_service, vendor_service, hal_service_type, service_manager_type;
-type hal_dumpstate_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_evs_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_face_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_fingerprint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_gnss_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_graphics_allocator_service, vendor_service, hal_service_type, service_manager_type;
-type hal_graphics_composer_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_health_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_health_storage_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_identity_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_input_processor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_ir_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_keymint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_light_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_memtrack_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_neuralnetworks_service, vendor_service, hal_service_type, service_manager_type;
-type hal_nfc_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_oemlock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_power_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_power_stats_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_radio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_rebootescrow_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_sensors_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_secureclock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_sharedsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_audio_service, protected_service, hal_service_type, service_manager_type;
+type hal_audiocontrol_service, hal_service_type, service_manager_type;
+type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
+type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
+type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
+type hal_dice_service, protected_service, hal_service_type, service_manager_type;
+type hal_drm_service, hal_service_type, service_manager_type;
+type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
+type hal_evs_service, protected_service, hal_service_type, service_manager_type;
+type hal_face_service, protected_service, hal_service_type, service_manager_type;
+type hal_fingerprint_service, protected_service, hal_service_type, service_manager_type;
+type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
+type hal_graphics_allocator_service, hal_service_type, service_manager_type;
+type hal_graphics_composer_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
+type hal_identity_service, protected_service, hal_service_type, service_manager_type;
+type hal_input_processor_service, protected_service, hal_service_type, service_manager_type;
+type hal_ir_service, protected_service, hal_service_type, service_manager_type;
+type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
+type hal_light_service, protected_service, hal_service_type, service_manager_type;
+type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
+type hal_neuralnetworks_service, hal_service_type, service_manager_type;
+type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
+type hal_oemlock_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_stats_service, protected_service, hal_service_type, service_manager_type;
+type hal_radio_service, protected_service, hal_service_type, service_manager_type;
+type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
+type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
+type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
+type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
-type hal_tv_tuner_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_usb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_uwb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_vehicle_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_vibrator_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_weaver_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_nlinterceptor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_wifi_hostapd_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_wifi_supplicant_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
+type hal_usb_service, protected_service, hal_service_type, service_manager_type;
+type hal_uwb_service, protected_service, hal_service_type, service_manager_type;
+type hal_vehicle_service, protected_service, hal_service_type, service_manager_type;
+type hal_vibrator_service, protected_service, hal_service_type, service_manager_type;
+type hal_weaver_service, protected_service, hal_service_type, service_manager_type;
+type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
###
### Neverallow rules
diff --git a/public/shell.te b/public/shell.te
index 4175c86..496061c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -60,7 +60,6 @@
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
-allow shell tzdatacheck_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
@@ -84,7 +83,6 @@
-gatekeeper_service
-incident_service
-installd_service
- -iorapd_service
-mdns_service
-netd_service
-system_suspend_control_internal_service
diff --git a/public/te_macros b/public/te_macros
index 58d04b4..551f4f3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -199,9 +199,11 @@
# communicate with the VM that it created. Notice that we do not grant
# permission to create a vsock; the client can only connect to VMs
# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr read write };
+allow $1 virtualizationservice:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
+# Allow client to read (but not open) the crashdump provided by virtualizationservice
+allow $1 virtualizationservice_data_file:file { getattr read };
')
#####################################
@@ -758,7 +760,6 @@
-$1_server
# some services are allowed to find all services
-atrace
- -dumpstate
-shell
-system_app
-traceur_app
diff --git a/public/toolbox.te b/public/toolbox.te
index 4c2cc3e..3705a92 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -1,5 +1,4 @@
# Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
type toolbox, domain;
type toolbox_exec, system_file_type, exec_type, file_type;
@@ -23,16 +22,11 @@
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
-# rm -rf directories in /data
+# rm -rf /data/per_boot
allow toolbox system_data_root_file:dir { remove_name write };
allow toolbox system_data_file:dir { rmdir rw_dir_perms };
allow toolbox system_data_file:file { getattr unlink };
-# chattr +F and chattr +P /data/media in init
-allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
-allowxperm toolbox media_rw_data_file:dir ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
+# chattr +F /data/media in init
+allow toolbox media_userdir_file:dir { r_dir_perms setattr };
+allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };
diff --git a/public/traced.te b/public/traced.te
index 922d46e..48da0d8 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,3 +1,4 @@
type traced, domain, coredomain, mlstrustedsubject;
type traced_tmpfs, file_type;
+
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 1ab150d..22f6c3b 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -10,7 +10,6 @@
-gatekeeper_service
-incident_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
diff --git a/public/tzdatacheck.te b/public/tzdatacheck.te
deleted file mode 100644
index cf9b95d..0000000
--- a/public/tzdatacheck.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, system_file_type, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
-
-# Below are strong assertion that only init, system_server and tzdatacheck
-# can modify the /data time zone rules directories. This is to make it very
-# clear that only these domains should modify the actual time zone rules data.
-# The tzdatacheck binary itself may be executed by shell for tests but it must
-# not be able to modify the real rules.
-# If other users / binaries could modify time zone rules on device this might
-# have negative implications for users (who may get incorrect local times)
-# or break assumptions made / invalidate data held by the components actually
-# responsible for updating time zone rules.
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e8fd29e..12961e7 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -72,6 +72,7 @@
# read /dev/dm-user, so that we can inotify wait for control devices to be
# asynchronously created by ueventd.
allow update_engine dm_user_device:dir r_dir_perms;
+allow update_engine dm_user_device:chr_file r_file_perms;
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b7302d4..c8ddfb9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -253,6 +253,7 @@
set_prop(vendor_init, userspace_reboot_config_prop)
set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, keystore_config_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, virtual_ab_prop)
@@ -274,6 +275,7 @@
# Allow vendor_init to read vendor_system_native device config changes
get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
###
### neverallow rules
diff --git a/public/vold.te b/public/vold.te
index b0fb6d0..41f95d3 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -99,8 +99,8 @@
# Allow mounting (lower filesystem) on parts of media for performance
allow vold media_rw_data_file:dir mounton;
-# Allow setting extended attributes (for project quota IDs) on files and dirs
-# and to enable project ID inheritance through FS_IOC_SETFLAGS
+# Allow setting project quota IDs and enabling project ID inheritance on
+# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
allowxperm vold media_rw_data_file:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
@@ -124,6 +124,10 @@
allow vold mnt_expand_file:dir { create_dir_perms mounton };
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
+allow vold system_userdir_file:dir { create getattr setattr };
+allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
+# Needed to set the casefold flag on /mnt/expand/$volume/media
+allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
@@ -152,7 +156,7 @@
allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
@@ -330,7 +334,6 @@
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
- -iorapd_service
-keystore
-servicemanager
-system_server
diff --git a/public/wpantund.te b/public/wpantund.te
deleted file mode 100644
index 8ddd693..0000000
--- a/public/wpantund.te
+++ /dev/null
@@ -1,29 +0,0 @@
-type wpantund, domain;
-type wpantund_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(wpantund, hal_lowpan)
-net_domain(wpantund)
-
-binder_use(wpantund)
-binder_call(wpantund, system_server)
-
-# wpantund needs to be able to check in with the lowpan_service
-allow wpantund lowpan_service:service_manager find;
-
-# Allow wpantund to call any callbacks that have been registered with it.
-# Generally, only privileged apps are able to register callbacks with
-# wpantund, so we are limiting the scope for callbacks to only privileged
-# apps. We also add shell to allow the command-line utility `lowpanctl`
-# to work properly from `adb shell`.
-allow wpantund {priv_app shell}:binder call;
-
-# create sockets to set interfaces up and down, add multicast groups, etc.
-allow wpantund self:udp_socket create_socket_perms;
-
-# setting interface state up/down and changing MTU are privileged ioctls
-allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
-
-# Allow us to bring up a TUN network interface.
-allow wpantund tun_device:chr_file rw_file_perms;
-allow wpantund self:global_capability_class_set { net_admin net_raw };
-allow wpantund self:tun_socket create;
diff --git a/tests/Android.bp b/tests/Android.bp
index 8ca952d..e271346 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -43,6 +43,11 @@
srcs: [
"treble_sepolicy_tests.py",
],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
libs: [
"mini_cil_parser",
"pysepolwrap",
@@ -55,6 +60,11 @@
srcs: [
"sepolicy_tests.py",
],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
libs: ["pysepolwrap"],
data: [":libsepolwrap"],
}
diff --git a/tests/policy.py b/tests/policy.py
index 60c6962..910dd3d 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -222,11 +222,15 @@
scontext = set()
for sctx in kwargs['scontext']:
scontext |= self.ResolveTypeAttribute(sctx)
+ if (len(scontext) == 0):
+ return []
kwargs['scontext'] = scontext
if ("tcontext" in kwargs and len(kwargs['tcontext']) > 0):
tcontext = set()
for tctx in kwargs['tcontext']:
tcontext |= self.ResolveTypeAttribute(tctx)
+ if (len(tcontext) == 0):
+ return []
kwargs['tcontext'] = tcontext
for Rule in self.__Rules:
if self.__TERuleMatch(Rule, **kwargs):
diff --git a/tests/searchpolicy.py b/tests/searchpolicy.py
index 9d2c636..79efecf 100644
--- a/tests/searchpolicy.py
+++ b/tests/searchpolicy.py
@@ -78,10 +78,10 @@
for r in TERules:
if len(r.perms) > 1:
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
- " ".join(r.perms) + " };")
+ " ".join(sorted(r.perms)) + " };")
else:
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
- " ".join(r.perms) + ";")
+ " ".join(sorted(r.perms)) + ";")
for r in sorted(rules):
print(r)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index e940681..63144dd 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -15,9 +15,12 @@
from optparse import OptionParser
from optparse import Option, OptionValueError
import os
+import pkgutil
import policy
import re
+import shutil
import sys
+import tempfile
SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
@@ -146,7 +149,11 @@
"TestDmaHeapDevTypeViolations",
]
-if __name__ == '__main__':
+def do_main(libpath):
+ """
+ Args:
+ libpath: string, path to libsepolwrap.so
+ """
usage = "sepolicy_tests -f vendor_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
@@ -158,11 +165,6 @@
(options, args) = parser.parse_args()
- libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + SHARED_LIB_EXTENSION)
- if not os.path.exists(libpath):
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-
if not options.policy:
sys.exit("Must specify monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
@@ -207,3 +209,17 @@
if len(results) > 0:
sys.exit(results)
+
+if __name__ == '__main__':
+ temp_dir = tempfile.mkdtemp()
+ try:
+ libname = "libsepolwrap" + SHARED_LIB_EXTENSION
+ libpath = os.path.join(temp_dir, libname)
+ with open(libpath, "wb") as f:
+ blob = pkgutil.get_data("sepolicy_tests", libname)
+ if not blob:
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+ f.write(blob)
+ do_main(libpath)
+ finally:
+ shutil.rmtree(temp_dir)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 64a9e95..b49f138 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -16,10 +16,13 @@
from optparse import Option, OptionValueError
import os
import mini_parser
+import pkgutil
import policy
from policy import MatchPathPrefix
import re
+import shutil
import sys
+import tempfile
DEBUG=False
SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
@@ -341,7 +344,13 @@
"TrebleCompatMapping": TestTrebleCompatMapping,
"ViolatorAttributes": TestViolatorAttributes}
-if __name__ == '__main__':
+def do_main(libpath):
+ """
+ Args:
+ libpath: string, path to libsepolwrap.so
+ """
+ global pol, FakeTreble
+
usage = "treble_sepolicy_tests "
usage += "-f nonplat_file_contexts -f plat_file_contexts "
usage += "-p curr_policy -b base_policy -o old_policy "
@@ -374,11 +383,6 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
- libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + SHARED_LIB_EXTENSION)
- if not os.path.exists(libpath):
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
if options.tests is None or options.tests == "TrebleCompatMapping":
@@ -428,3 +432,17 @@
if len(results) > 0:
sys.exit(results)
+
+if __name__ == '__main__':
+ temp_dir = tempfile.mkdtemp()
+ try:
+ libname = "libsepolwrap" + SHARED_LIB_EXTENSION
+ libpath = os.path.join(temp_dir, libname)
+ with open(libpath, "wb") as f:
+ blob = pkgutil.get_data("treble_sepolicy_tests", libname)
+ if not blob:
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+ f.write(blob)
+ do_main(libpath)
+ finally:
+ shutil.rmtree(temp_dir)
diff --git a/tools/Android.bp b/tools/Android.bp
index fcf375d..057b073 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -59,6 +59,13 @@
srcs: ["version_policy.c"],
}
+cc_binary {
+ name: "seamendc",
+ defaults: ["sepolicy_tools_defaults"],
+ srcs: ["seamendc.c"],
+ host_supported: true,
+}
+
python_binary_host {
name: "insertkeys",
srcs: ["insertkeys.py"],
@@ -70,3 +77,8 @@
libs: ["mini_cil_parser", "pysepolwrap"],
data: [":libsepolwrap"],
}
+
+python_binary_host {
+ name: "fuzzer_bindings_check",
+ srcs: ["fuzzer_bindings_check.py"],
+}
diff --git a/tools/README b/tools/README
index 5e340a0..8976c68 100644
--- a/tools/README
+++ b/tools/README
@@ -70,3 +70,15 @@
sepolicy-analyze
A tool for performing various kinds of analysis on a sepolicy
file.
+
+fuzzer_bindings_check
+ Tool to check if fuzzer is added for new services. it is used by fuzzer_bindings_test soong module internally.
+ Error will be generated if there is no fuzzer binding present for service added in service_contexts in
+ system/sepolicy/soong/build/service_fuzzer_bindings.go
+
+ Usage:
+ fuzzer_bindings_check.py -s [SRCs...] -b /path/to/binding.json
+
+ -s [SRCs...] list of service_contexts files. Tool will check if there is fuzzer for every service
+ in the context file.
+ -b /path/to/binding.json Path to json file containing "service":[fuzzers...] bindings.
diff --git a/tools/fuzzer_bindings_check.py b/tools/fuzzer_bindings_check.py
new file mode 100644
index 0000000..d2cc3ae
--- /dev/null
+++ b/tools/fuzzer_bindings_check.py
@@ -0,0 +1,92 @@
+#!/usr/bin/env python3
+#
+# Copyright 2022 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+import json
+import sys
+import os
+import argparse
+
+def check_file_exists(file_name):
+ if not os.path.exists(file_name):
+ sys.exit("File doesn't exist : {0}".format(file_name))
+
+def read_bindings(binding_file):
+ check_file_exists(binding_file)
+ with open(binding_file) as jsonFile:
+ bindings = json.loads(jsonFile.read())
+ return bindings
+
+def check_fuzzer_exists(context_file, bindings):
+ with open(context_file) as file:
+ for line in file:
+ # Ignore empty lines and comments
+ line = line.strip()
+ if line.startswith("#"):
+ logging.debug("Found a comment..skipping")
+ continue
+
+ tokens = line.split()
+ if len(tokens) == 0:
+ logging.debug("Skipping empty lines in service_contexts")
+ continue
+
+ # For a valid service_context file, there will be only two tokens
+ # First will be service name and second will be its label.
+ service_name = tokens[0]
+ if service_name not in bindings:
+ sys.exit("\nerror: Service {0} is being added, but we have no fuzzer on file for it. "
+ "Fuzzers are listed at $ANDROID_BUILD_TOP/system/sepolicy/build/soong/service_fuzzer_bindings.go \n\n"
+ "NOTE: automatic service fuzzers are currently not supported in Java (b/232439254) "
+ "and Rust (b/164122727). In this case, please ignore this for now. \n\n"
+ "If you are writing a new service, it may be subject to attack from other "
+ "potentially malicious processes. A fuzzer can be written automatically "
+ "by adding these things: \n"
+ "- a cc_fuzz Android.bp entry \n"
+ "- a main file that constructs your service and calls 'fuzzService' \n\n"
+ "An example can be found here: \n "
+ "$ANDROID_BUILD_TOP/hardware/interfaces/vibrator/aidl/default/fuzzer.cpp \n\n"
+ "This is only ~30 lines of configuration. It requires dependency injection "
+ "for your service which is a good practice, and (in AOSP) you will get bugs "
+ "automatically filed on you. You will find out about issues without needing "
+ "to backport changes years later, and the system will automatically find ways "
+ "to reproduce difficult to solve issues for you. \n\n"
+ "- Android Fuzzing and Security teams".format(service_name))
+ return
+
+def validate_bindings(args):
+ bindings = read_bindings(args.bindings)
+ for file in args.srcs:
+ check_file_exists(file)
+ check_fuzzer_exists(file, bindings)
+ return
+
+def get_args():
+ parser = argparse.ArgumentParser(description="Tool to check if fuzzer is "
+ "added for new services")
+ parser.add_argument('-b', help='Path to json file containing '
+ '"service":[fuzzers...] bindings.',
+ required=True, dest='bindings')
+ parser.add_argument('-s', '--list', nargs='+',
+ help='list of service_contexts files. Tool will check if '
+ 'there is fuzzer for every service in the context '
+ 'file.', required=True, dest='srcs')
+ parsed_args = parser.parse_args()
+ return parsed_args
+
+if __name__ == "__main__":
+ args = get_args()
+ validate_bindings(args)
diff --git a/tools/seamendc.c b/tools/seamendc.c
new file mode 100644
index 0000000..cd79c76
--- /dev/null
+++ b/tools/seamendc.c
@@ -0,0 +1,286 @@
+#include <getopt.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+
+#include <cil/cil.h>
+#include <cil/android.h>
+#include <sepol/policydb.h>
+#include "sepol/handle.h"
+
+void usage(const char *prog)
+{
+ printf("Usage: %s [OPTION]... FILE...\n", prog);
+ printf("Takes a binary policy file as input and applies the rules and definitions specified ");
+ printf("in the provided FILEs. Each FILE must be a policy file in CIL format.\n");
+ printf("\n");
+ printf("Options:\n");
+ printf(" -b, --base=<file> (required) base binary policy.\n");
+ printf(" -o, --output=<file> (required) write binary policy to <file>\n");
+ printf(" -v, --verbose increment verbosity level\n");
+ printf(" -h, --help display usage information\n");
+ exit(1);
+}
+
+/*
+ * Read binary policy file from path into the allocated pdb.
+ *
+ * We first read the binary policy into memory, and then we parse it to a
+ * policydb object using sepol_policydb_from_image. This combination is slightly
+ * faster than using sepol_policydb_read that reads the binary file in small
+ * chunks at a time.
+ */
+static int read_binary_policy(char *path, sepol_policydb_t *pdb)
+{
+ int rc = SEPOL_OK;
+ char *buff = NULL;
+ sepol_handle_t *handle = NULL;
+
+ FILE *file = fopen(path, "r");
+ if (!file) {
+ fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ struct stat binarydata;
+ rc = stat(path, &binarydata);
+ if (rc == -1) {
+ fprintf(stderr, "Could not stat %s: %s.\n", path, strerror(errno));
+ goto exit;
+ }
+
+ uint32_t file_size = binarydata.st_size;
+ if (!file_size) {
+ fprintf(stderr, "Binary policy file is empty.\n");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ buff = malloc(file_size);
+ if (buff == NULL) {
+ perror("malloc failed");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ rc = fread(buff, file_size, 1, file);
+ if (rc != 1) {
+ fprintf(stderr, "Failure reading %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ handle = sepol_handle_create();
+ if (!handle) {
+ perror("Could not create policy handle");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ rc = sepol_policydb_from_image(handle, buff, file_size, pdb);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to read binary policy: %d.\n", rc);
+ }
+
+exit:
+ if (file != NULL && fclose(file) == EOF && rc == SEPOL_OK) {
+ perror("Failure closing binary file");
+ rc = SEPOL_ERR;
+ }
+ if(handle != NULL) {
+ sepol_handle_destroy(handle);
+ }
+ free(buff);
+ return rc;
+}
+
+/*
+ * read_cil_files - Initialize db and parse CIL input files.
+ */
+static int read_cil_files(struct cil_db **db, char **paths,
+ unsigned int n_files)
+{
+ int rc = SEPOL_ERR;
+ FILE *file = NULL;
+ char *buff = NULL;
+
+ for (int i = 0; i < n_files; i++) {
+ char *path = paths[i];
+
+ file = fopen(path, "r");
+ if (file == NULL) {
+ rc = SEPOL_ERR;
+ fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+ goto file_err;
+ }
+
+ struct stat filedata;
+ rc = stat(path, &filedata);
+ if (rc == -1) {
+ fprintf(stderr, "Could not stat %s: %s.\n", path, strerror(errno));
+ goto err;
+ }
+
+ uint32_t file_size = filedata.st_size;
+ buff = malloc(file_size);
+ if (buff == NULL) {
+ perror("malloc failed");
+ rc = SEPOL_ERR;
+ goto err;
+ }
+
+ rc = fread(buff, file_size, 1, file);
+ if (rc != 1) {
+ fprintf(stderr, "Failure reading %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto err;
+ }
+ fclose(file);
+ file = NULL;
+
+ /* create parse_tree */
+ rc = cil_add_file(*db, path, buff, file_size);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failure adding %s to parse tree.\n", path);
+ goto parse_err;
+ }
+ free(buff);
+ buff = NULL;
+ }
+
+ return SEPOL_OK;
+err:
+ fclose(file);
+parse_err:
+ free(buff);
+file_err:
+ return rc;
+}
+
+/*
+ * Write binary policy in pdb to file at path.
+ */
+static int write_binary_policy(sepol_policydb_t *pdb, char *path)
+{
+ int rc = SEPOL_OK;
+
+ FILE *file = fopen(path, "w");
+ if (file == NULL) {
+ fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ struct sepol_policy_file *pf = NULL;
+ rc = sepol_policy_file_create(&pf);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to create policy file: %d.\n", rc);
+ goto exit;
+ }
+ sepol_policy_file_set_fp(pf, file);
+
+ rc = sepol_policydb_write(pdb, pf);
+ if (rc != 0) {
+ fprintf(stderr, "failed to write binary policy: %d.\n", rc);
+ goto exit;
+ }
+
+exit:
+ if (file != NULL && fclose(file) == EOF && rc == SEPOL_OK) {
+ perror("Failure closing binary file");
+ rc = SEPOL_ERR;
+ }
+ return rc;
+}
+
+int main(int argc, char *argv[])
+{
+ char *base = NULL;
+ char *output = NULL;
+ enum cil_log_level log_level = CIL_ERR;
+ static struct option long_opts[] = {{"base", required_argument, 0, 'b'},
+ {"output", required_argument, 0, 'o'},
+ {"verbose", no_argument, 0, 'v'},
+ {"help", no_argument, 0, 'h'},
+ {0, 0, 0, 0}};
+
+ while (1) {
+ int opt_index = 0;
+ int opt_char = getopt_long(argc, argv, "b:o:vh", long_opts, &opt_index);
+ if (opt_char == -1) {
+ break;
+ }
+ switch (opt_char)
+ {
+ case 'b':
+ base = optarg;
+ break;
+ case 'o':
+ output = optarg;
+ break;
+ case 'v':
+ log_level++;
+ break;
+ case 'h':
+ usage(argv[0]);
+ default:
+ fprintf(stderr, "Unsupported option: %s.\n", optarg);
+ usage(argv[0]);
+ }
+ }
+ if (base == NULL || output == NULL) {
+ fprintf(stderr, "Please specify required arguments.\n");
+ usage(argv[0]);
+ }
+
+ cil_set_log_level(log_level);
+
+ // Initialize and read input policydb file.
+ sepol_policydb_t *pdb = NULL;
+ int rc = sepol_policydb_create(&pdb);
+ if (rc != 0) {
+ fprintf(stderr, "Could not create policy db: %d.\n", rc);
+ exit(rc);
+ }
+
+ rc = read_binary_policy(base, pdb);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to read binary policy: %d.\n", rc);
+ exit(rc);
+ }
+
+ // Initialize cil_db.
+ struct cil_db *incremental_db = NULL;
+ cil_db_init(&incremental_db);
+ cil_set_attrs_expand_generated(incremental_db, 1);
+
+ // Read input cil files and compile them into cil_db.
+ rc = read_cil_files(&incremental_db, argv + optind, argc - optind);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to read CIL files: %d.\n", rc);
+ exit(rc);
+ }
+
+ rc = cil_compile(incremental_db);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to compile cildb: %d.\n", rc);
+ exit(rc);
+ }
+
+ // Amend the policydb.
+ rc = cil_amend_policydb(incremental_db, pdb);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to build policydb.\n");
+ exit(rc);
+ }
+
+ rc = write_binary_policy(pdb, output);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to write binary policy: %d.\n", rc);
+ exit(rc);
+ }
+}
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 392a750..24f0d51 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,7 +4,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl\.example u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.effect\.service-aidl\.example u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
@@ -20,13 +21,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service-lazy u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
@@ -90,8 +92,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example u:object_r:hal_tv_tuner_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example(-lazy)? u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index 2b94313..f94cf5f 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -14,3 +14,7 @@
# Needed for reading/writing misc partition.
allow hal_bootctl_default block_device:dir search;
allow hal_bootctl_default misc_block_device:blk_file rw_file_perms;
+
+# Needed for writing to kernel log
+allow hal_bootctl_default kmsg_device:chr_file open;
+allow hal_bootctl_default kmsg_device:chr_file write;
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index 891d1f4..ddfa62e 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -3,3 +3,5 @@
type hal_face_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_face_default)
+
+set_prop(hal_face_default, virtual_face_hal_prop)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 638b603..812c528 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -3,3 +3,5 @@
type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
+
+set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index 639c7bd..e11d4dd 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -8,3 +8,6 @@
# Access to /dev/dma_heap/system
allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Allow servicemanager to notify hal_tv_tuner_default clients status
+binder_use(hal_tv_tuner_default)
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index 52769dd..8adf8d3 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -11,3 +11,8 @@
# communicate with servicemanager
binder_call(hal_vehicle_server, servicemanager)
+
+# communicate with statsd
+hwbinder_use(hal_vehicle_default)
+allow hal_vehicle_default fwk_stats_hwservice:hwservice_manager find;
+binder_call(hal_vehicle_default, stats_service_server)
