[automerger skipped] Merge "Allow for server-side configuration of libstagefright" into android14-tests-dev am: 46668eaca7 -s ours
am skip reason: Merged-In I95aa6772a40599636d109d6960c2898e44648c9b with SHA-1 ffeb680417 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2869455
Change-Id: Ic3f9aa6bb7aa559e391448fa5198b8f73df9af28
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/Android.bp b/Android.bp
index 4028215..88107cc 100644
--- a/Android.bp
+++ b/Android.bp
@@ -103,6 +103,7 @@
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
name: "reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: reqd_mask_policy,
installable: false,
}
@@ -138,10 +139,12 @@
//
se_policy_conf {
name: "pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
reqd_mask_policy,
+ vendor: true,
installable: false,
}
@@ -150,14 +153,17 @@
src: ":pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
+ vendor: true,
installable: false,
}
se_policy_conf {
name: "system_ext_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
reqd_mask_policy,
+ system_ext_specific: true,
installable: false,
}
@@ -166,11 +172,13 @@
src: ":system_ext_pub_policy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
+ system_ext_specific: true,
installable: false,
}
se_policy_conf {
name: "plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
installable: false,
@@ -191,6 +199,7 @@
// currently being attributized.
se_policy_conf {
name: "plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
installable: false,
@@ -203,39 +212,10 @@
}
-se_policy_conf {
- name: "apex_sepolicy-33.conf",
- srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
- installable: false,
-}
-
-se_policy_cil {
- name: "apex_sepolicy-33.cil",
- src: ":apex_sepolicy-33.conf",
- filter_out: [":plat_sepolicy.cil"],
- installable: false,
- stem: "apex_sepolicy.cil",
-}
-
-se_policy_cil {
- name: "decompiled_sepolicy-without_apex.cil",
- src: ":precompiled_sepolicy-without_apex",
- decompile_binary: true,
-}
-
-se_policy_cil {
- name: "apex_sepolicy-33.decompiled.cil",
- src: ":precompiled_sepolicy",
- decompile_binary: true,
- filter_out: [":decompiled_sepolicy-without_apex.cil"],
- additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
- secilc_check: false,
- stem: "apex_sepolicy.decompiled.cil",
-}
-
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "userdebug",
@@ -286,10 +266,12 @@
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
name: "system_ext_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy,
+ system_ext_specific: true,
installable: false,
}
@@ -305,12 +287,14 @@
// which will ship with the device. Product policy is not attributized
se_policy_conf {
name: "product_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
product_private_policy,
+ product_specific: true,
installable: false,
}
@@ -353,116 +337,16 @@
product_specific: true,
}
+//////////////////////////////////
// vendor/odm sepolicy
-//
-// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
-// policy files of platform (system, system_ext, product) can't be mixed with
-// policy files of vendor (vendor, odm). If it's the case, platform policies and
-// vendor policies are separately built. More specifically,
-//
-// - Platform policy files needed to build vendor policies, such as plat_policy,
-// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
-// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
-//
-// - sepolicy_neverallows only checks platform policies, and a new module
-// sepolicy_neverallows_vendor checks vendor policies.
-//
-// - neverallow checks are turned off while compiling precompiled_sepolicy
-// module and sepolicy module.
-//
-// - Vendor policies are not checked on the compat test (compat.mk).
-//
-// In such scenario, we can grab platform policy files from the prebuilts/api
-// directory. But we need more than that: prebuilts of system_ext, product,
-// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
-// variables are introduced to specify such prebuilts.
-//
-// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
-// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
-// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
-// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
-// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
-// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
-//
-// Vendors are responsible for copying policy files from the old version of the
-// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
-// can be used to build vendor policies.
-//
-// To support both mixed build and normal build, platform policy files are
-// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
-// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
-// Otherwise, they will be equal to the Makefile variables above.
-
-plat_public_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.reqd_mask_for_vendor}",
-]
-
-plat_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.plat_private_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.system_ext_private_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.product_private_for_vendor}",
-]
-
-se_policy_conf {
- name: "plat_policy_for_vendor.conf",
- srcs: plat_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "plat_policy_for_vendor.cil",
- src: ":plat_policy_for_vendor.conf",
- additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
- installable: false,
-}
-
-se_policy_conf {
- name: "reqd_policy_mask_for_vendor.conf",
- srcs: [":se_build_files{.reqd_mask_for_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "reqd_policy_mask_for_vendor.cil",
- src: ":reqd_policy_mask_for_vendor.conf",
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "pub_policy_for_vendor.conf",
- srcs: plat_public_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "pub_policy_for_vendor.cil",
- src: ":pub_policy_for_vendor.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_versioned_policy {
- name: "plat_mapping_file_for_vendor",
- base: ":pub_policy_for_vendor.cil",
- mapping: true,
- version: "vendor",
- installable: false,
-}
+//////////////////////////////////
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
- base: ":pub_policy_for_vendor.cil",
- target_policy: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
version: "vendor",
vendor: true,
}
@@ -472,30 +356,38 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
],
+ vendor: true,
installable: false,
}
se_policy_cil {
name: "vendor_sepolicy.cil.raw",
src: ":vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ filter_out: [":reqd_policy_mask.cil"],
secilc_check: false, // will be done in se_versioned_policy module
+ vendor: true,
installable: false,
}
se_versioned_policy {
name: "vendor_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
target_policy: ":vendor_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_mapping_file",
],
filter_out: [":plat_pub_versioned.cil"],
vendor: true,
@@ -506,11 +398,16 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
+ device_specific: true,
installable: false,
}
@@ -518,22 +415,25 @@
name: "odm_sepolicy.cil.raw",
src: ":odm_sepolicy.conf",
filter_out: [
- ":reqd_policy_mask_for_vendor.cil",
+ ":reqd_policy_mask.cil",
":vendor_sepolicy.cil",
],
secilc_check: false, // will be done in se_versioned_policy module
+ device_specific: true,
installable: false,
}
se_versioned_policy {
name: "odm_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
target_policy: ":odm_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_mapping_file",
":vendor_sepolicy.cil",
],
filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
@@ -550,9 +450,6 @@
// AND
// - product_sepolicy_and_mapping.sha256 equals
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-// AND
-// - apex_sepolicy.sha256 equals
-// precompiled_sepolicy.apex_sepolicy.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
genrule {
@@ -570,20 +467,6 @@
}
genrule {
- name: "apex_sepolicy.sha256_gen",
- srcs: [":apex_sepolicy-33.cil"],
- out: ["apex_sepolicy.sha256"],
- cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
-}
-
-prebuilt_etc {
- name: "apex_sepolicy.sha256",
- filename: "apex_sepolicy.sha256",
- src: ":apex_sepolicy.sha256_gen",
- installable: false,
-}
-
-genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
out: ["system_ext_sepolicy_and_mapping.sha256"],
@@ -652,18 +535,6 @@
}
//////////////////////////////////
-// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
-// was built.
-//////////////////////////////////
-prebuilt_etc {
- defaults: ["precompiled_sepolicy_prebuilts"],
- name: "precompiled_sepolicy.apex_sepolicy.sha256",
- filename: "precompiled_sepolicy.apex_sepolicy.sha256",
- src: ":apex_sepolicy.sha256_gen",
- relative_install_path: "selinux",
-}
-
-//////////////////////////////////
// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
@@ -691,21 +562,32 @@
name: "precompiled_se_policy_binary",
module_type: "se_policy_binary",
config_namespace: "ANDROID",
- bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
- value_variables: ["MIXED_SEPOLICY_VERSION"],
- properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
+ bool_variables: ["BOARD_USES_ODMIMAGE"],
+ properties: ["vendor", "device_specific"],
+}
+
+filegroup {
+ name: "precompiled_sepolicy_srcs",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ // Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
+ // Useful when some partitions need to be bind mounted across VM boundaries.
+ visibility: ["//visibility:public"],
}
precompiled_se_policy_binary {
name: "precompiled_sepolicy",
srcs: [
- ":plat_sepolicy.cil",
- ":apex_sepolicy-33.cil",
- ":plat_pub_versioned.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ":vendor_sepolicy.cil",
- ":odm_sepolicy.cil",
+ ":precompiled_sepolicy_srcs",
],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
@@ -714,71 +596,9 @@
vendor: true,
},
},
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
},
required: [
"sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
- ],
- dist: {
- targets: ["base-sepolicy-files-for-mapping"],
- },
-}
-
-precompiled_se_policy_binary {
- name: "precompiled_sepolicy-without_apex",
- srcs: [
- ":plat_sepolicy.cil",
- ":plat_pub_versioned.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ":vendor_sepolicy.cil",
- ":odm_sepolicy.cil",
- ],
- soong_config_variables: {
- BOARD_USES_ODMIMAGE: {
- device_specific: true,
- conditions_default: {
- vendor: true,
- },
- },
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
- },
- required: [
- "sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
],
dist: {
targets: ["base-sepolicy-files-for-mapping"],
@@ -788,13 +608,20 @@
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
target_recovery: true,
installable: false,
+ recovery: true,
}
se_policy_cil {
@@ -802,6 +629,7 @@
src: ":recovery_sepolicy.conf",
secilc_check: false, // will be done in se_policy_binary module
installable: false,
+ recovery: true,
}
se_policy_binary {
@@ -817,6 +645,7 @@
//////////////////////////////////
se_policy_conf {
name: "general_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "user",
@@ -833,6 +662,7 @@
//////////////////////////////////
se_policy_conf {
name: "base_plat_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy,
build_variant: "user",
@@ -857,33 +687,8 @@
}
se_policy_conf {
- name: "base_system_ext_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy,
- build_variant: "user",
- installable: false,
-}
-
-se_policy_cil {
- name: "base_system_ext_sepolicy.cil",
- src: ":base_system_ext_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
- system_ext_specific: true,
- installable: false,
- secilc_check: false, // done by se_policy_binary
-}
-
-se_policy_binary {
- name: "base_system_ext_sepolicy",
- srcs: [":base_system_ext_sepolicy.cil"],
- system_ext_specific: true,
- installable: false,
-}
-
-se_policy_conf {
name: "base_product_sepolicy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
@@ -892,6 +697,7 @@
product_private_policy,
build_variant: "user",
installable: false,
+ product_specific: true,
}
se_policy_cil {
@@ -912,6 +718,7 @@
se_policy_conf {
name: "base_plat_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
reqd_mask_policy,
build_variant: "user",
@@ -930,30 +737,15 @@
}
se_policy_conf {
- name: "base_system_ext_pub_policy.conf",
- srcs: plat_public_policy +
- system_ext_public_policy +
- reqd_mask_policy,
- build_variant: "user",
- installable: false,
-}
-
-se_policy_cil {
- name: "base_system_ext_pub_policy.cil",
- src: ":base_system_ext_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
name: "base_product_pub_policy.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
system_ext_public_policy +
product_public_policy +
reqd_mask_policy,
build_variant: "user",
installable: false,
+ product_specific: true,
}
se_policy_cil {
@@ -962,6 +754,7 @@
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
+ product_specific: true,
}
// bug_map - Bug tracking information for selinux denials loaded by auditd.
@@ -985,7 +778,7 @@
se_bug_map {
name: "vendor_bug_map",
- srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"],
+ srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor}"],
// Legacy file name of the vendor partition bug_map.
stem: "selinux_denial_metadata",
vendor: true,
@@ -993,18 +786,14 @@
se_neverallow_test {
name: "sepolicy_neverallows",
+ defaults: ["se_policy_conf_flags_defaults"],
srcs: plat_public_policy +
plat_private_policy +
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
- product_private_policy,
-}
-
-se_neverallow_test {
- name: "sepolicy_neverallows_vendor",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ product_private_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@@ -1016,7 +805,7 @@
// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
//////////////////////////////////
se_freeze_test {
- name: "sepolicy_freeze_test",
+ name: "se_freeze_test",
}
//////////////////////////////////
@@ -1044,3 +833,45 @@
"-p $(location :precompiled_sepolicy) && " +
"touch $(out)",
}
+
+//////////////////////////////////
+// TestDevTypeViolations can't run on old devices (V or before)
+//////////////////////////////////
+
+soong_config_module_type {
+ name: "dev_type_test_genrule",
+ module_type: "genrule",
+ config_namespace: "ANDROID",
+ bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
+ properties: ["cmd"],
+}
+
+dev_type_test_genrule {
+ name: "sepolicy_dev_type_test",
+ srcs: [
+ ":plat_file_contexts",
+ ":vendor_file_contexts",
+ ":system_ext_file_contexts",
+ ":product_file_contexts",
+ ":odm_file_contexts",
+ ":precompiled_sepolicy",
+ ],
+ tools: ["sepolicy_tests"],
+ out: ["sepolicy_dev_type_test"],
+ soong_config_variables: {
+ CHECK_DEV_TYPE_VIOLATIONS: {
+ cmd: "$(location sepolicy_tests) " +
+ "-f $(location :plat_file_contexts) " +
+ "-f $(location :vendor_file_contexts) " +
+ "-f $(location :system_ext_file_contexts) " +
+ "-f $(location :product_file_contexts) " +
+ "-f $(location :odm_file_contexts) " +
+ "-p $(location :precompiled_sepolicy) " +
+ "-t TestDevTypeViolations && " +
+ "touch $(out)",
+ conditions_default: {
+ cmd: "touch $(out)",
+ },
+ },
+ },
+}
diff --git a/Android.mk b/Android.mk
index 618f7f0..63b74aa 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,13 +1,7 @@
LOCAL_PATH:= $(call my-dir)
-include $(LOCAL_PATH)/definitions.mk
-include $(LOCAL_PATH)/policy_version.mk
-
include $(CLEAR_VARS)
-MLS_SENS=1
-MLS_CATS=1024
-
ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif
@@ -73,13 +67,6 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
-ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
-mixed_sepolicy_build := true
-else
-mixed_sepolicy_build :=
-endif
-
-NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
@@ -87,7 +74,6 @@
$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
It does not work in user builds and using it will \
not stop you from failing CTS.)
-NEVERALLOW_ARG := -N
endif
# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
@@ -98,27 +84,6 @@
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
-# Set default values for these prebuilt directories
-ifeq (,$(BOARD_REQD_MASK_POLICY))
-BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY)
-endif
-
-ifeq (,$(BOARD_PLAT_VENDOR_POLICY))
-BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY)
-endif
-
-$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \
- $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\
- BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \
- ) \
-)))
-
-ifdef BOARD_ODM_SEPOLICY_DIRS
-ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS)
-endif
-endif
-
###########################################################
# Compute policy files to be used in policy build.
# $(1): files to include
@@ -129,13 +94,6 @@
$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
endef
-# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
-# $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
-
-# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
-build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
-
sepolicy_build_files := security_classes \
initial_sids \
access_vectors \
@@ -197,36 +155,11 @@
endif
endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-# CIL files which contain workarounds for current limitation of human-readable
-# module policy language. These files are appended to the CIL files produced
-# from module language files.
-sepolicy_build_cil_workaround_files := technical_debt.cil
-
-my_target_arch := $(TARGET_ARCH)
-ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
- my_target_arch := mips
-endif
-
-intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
-
with_asan := false
ifneq (,$(filter address,$(SANITIZE_TARGET)))
with_asan := true
endif
-with_native_coverage := false
-ifeq ($(NATIVE_COVERAGE),true)
- with_native_coverage := true
-endif
-ifeq ($(CLANG_COVERAGE),true)
- with_native_coverage := true
-endif
-
-treble_sysprop_neverallow := true
-ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
- treble_sysprop_neverallow := false
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -235,16 +168,6 @@
endif
endif
-enforce_sysprop_owner := true
-ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
- enforce_sysprop_owner := false
-endif
-
-enforce_debugfs_restriction := false
-ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
- enforce_debugfs_restriction := true
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -253,13 +176,6 @@
endif
endif
-# Library extension for host-side tests
-ifeq ($(HOST_OS),darwin)
-SHAREDLIB_EXT=dylib
-else
-SHAREDLIB_EXT=so
-endif
-
#################################
include $(CLEAR_VARS)
@@ -315,15 +231,6 @@
plat_bug_map \
searchpolicy \
-# This conditional inclusion closely mimics the conditional logic
-# inside init/init.cpp for loading SELinux policy from files.
-ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-# The following files are only allowed for non-Treble devices.
-LOCAL_REQUIRED_MODULES += \
- sepolicy \
-
-endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
-
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
@@ -333,18 +240,17 @@
# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_dev_type_test)/sepolicy_dev_type_test
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
$(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
-endif # PRODUCT_SEPOLICY_SPLIT
endif # SELINUX_IGNORE_NEVERALLOWS
endif # with_asan
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
- sepolicy_freeze_test
+ se_freeze_test
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -518,37 +424,8 @@
# Policy files are now built with Android.bp. Grab them from intermediate.
# See Android.bp for details of policy files.
#
-built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-
-ifdef HAS_PRODUCT_SEPOLICY
-built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-endif # ifdef HAS_PRODUCT_SEPOLICY
-
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
-built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
-
-#################################
-# sepolicy is also built with Android.bp.
-# This module is to keep compatibility with monolithic sepolicy devices.
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_sepolicy)
- $(copy-file-to-target)
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
@@ -582,22 +459,32 @@
# Note: That a newline file is placed between each file_context file found to
# ensure a proper build when an fc file is missing an ending newline.
-local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
+local_fc_files := $(call intermediates-dir-for,ETC,plat_file_contexts)/plat_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
+local_fc_files += $(call intermediates-dir-for,ETC,system_ext_file_contexts)/system_ext_file_contexts
endif
ifdef HAS_PRODUCT_SEPOLICY_DIR
-local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
+local_fc_files += $(call intermediates-dir-for,ETC,product_file_contexts)/product_file_contexts
endif
-ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
-endif
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
- local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
-endif
+###########################################################
+## Collect file_contexts files into a single tmp file with m4
+##
+## $(1): list of file_contexts files
+## $(2): filename into which file_contexts files are merged
+###########################################################
+
+define _merge-fc-files
+$(2): $(1) $(M4)
+ $(hide) mkdir -p $$(dir $$@)
+ $(hide) $(M4) --fatal-warnings -s $(1) > $$@
+endef
+
+define merge-fc-files
+$(eval $(call _merge-fc-files,$(1),$(2)))
+endef
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
@@ -606,10 +493,10 @@
# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
-device_fc_files := $(call build_vendor_policy, file_contexts)
+device_fc_files += $(call intermediates-dir-for,ETC,vendor_file_contexts)/vendor_file_contexts
ifdef BOARD_ODM_SEPOLICY_DIRS
-device_fc_files += $(call build_odm_policy, file_contexts)
+device_fc_files += $(call intermediates-dir-for,ETC,odm_file_contexts)/odm_file_contexts
endif
file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
@@ -638,11 +525,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-built_fc := $(LOCAL_BUILT_MODULE)
local_fc_files :=
-local_fcfiles_with_nl :=
device_fc_files :=
-device_fcfiles_with_nl :=
file_contexts.concat.tmp :=
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
@@ -650,67 +534,34 @@
file_contexts.modules.tmp :=
##################################
-
-all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
-all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
-endif
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
-endif
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
-endif
-all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-
-##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
-built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
-built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy
-
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
-base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+ver := $(PLATFORM_SEPOLICY_VERSION)
+ifneq ($(wildcard $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)),)
+# If PLATFORM_SEPOLICY_VERSION is already frozen, use prebuilts for compat test
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_plat_pub_policy.cil)/$(ver)_plat_pub_policy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_product_pub_policy.cil)/$(ver)_product_pub_policy.cil
+else
+# If not, use ToT for compat test
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+endif
+ver :=
$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
$(eval version_under_treble_tests := $(v)) \
$(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
)
-endif # PRODUCT_SEPOLICY_SPLIT
-built_plat_sepolicy :=
-built_system_ext_sepolicy :=
-built_product_sepolicy :=
base_plat_pub_policy.cil :=
-base_system_ext_pub_polcy.cil :=
base_product_pub_policy.cil :=
-all_fc_files :=
-all_fc_args :=
#################################
-build_vendor_policy :=
-build_odm_policy :=
build_policy :=
-built_plat_cil :=
-built_system_ext_cil :=
-built_product_cil :=
built_sepolicy :=
built_sepolicy_neverallows :=
-built_plat_svc :=
-built_vendor_svc :=
-treble_sysprop_neverallow :=
-enforce_sysprop_owner :=
-enforce_debugfs_restriction :=
-my_target_arch :=
sepolicy_build_files :=
-sepolicy_build_cil_workaround_files :=
with_asan :=
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/README.apps.md b/README.apps.md
new file mode 100644
index 0000000..bdb13e9
--- /dev/null
+++ b/README.apps.md
@@ -0,0 +1,57 @@
+The policy defines multiple types and attributes for apps. This document is a
+high-level overview of these. For further details on each type, refer to their
+specific files in the public/ and private/ directories.
+
+## appdomain
+In general, all apps will have the `appdomain` attribute. You can think of
+`appdomain` as any app started by Zygote. The macro `app_domain()` should be
+used to define a type that is considered an app (see public/te_macros).
+
+## untrusted_app
+Third-party apps (for example, installed from the Play Store), targeting the
+most recent SDK version will be typed as `untrusted_app`. This is the default
+domain for apps, unless a more specific criteria applies.
+
+When an app is targeting a previous SDK version, it may have the
+`untrusted_app_xx` type where xx is the targetSdkVersion. For instance, an app
+with `targetSdkVersion = 32` in its manifest will be typed as `untrusted_app_32`.
+Not all targetSdkVersion have a specific type, some version are skipped when no
+differences were introduced (see public/untrusted_app.te for more details).
+
+The `untrusted_app_all` attribute can be used to reference all the types
+described in this section (that is, `untrusted_app`, `untrusted_app_30`,
+`untrusted_app_32`, etc.).
+
+## isolated_app
+Apps may be restricted when using isolatedProcess=true in their manifest. In
+this case, they will be assigned the `isolated_app` type. A similar type
+`isolated_compute_app` exist for some restricted services.
+
+Both types `isolated_app` and `isolated_compute_app` are grouped under the
+attribute `isolated_app_all`.
+
+## ephemeral_app
+Apps that are run without installation. These are apps deployed for example via
+Google Play Instant. These are more constrained than `untrusted_app`.
+
+## sdk_sandbox
+SDK runtime apps, installed as part of the Privacy Sandbox project. These are
+sandboxed to limit their communication channels.
+
+## platform_app
+Apps that are signed with the platform key. These are installed within the
+system or vendor image. com.android.systemui is an example of an app running
+with this type.
+
+## system_app
+Apps pre-installed on a device, signed by the platform key and running with the
+system UID. com.android.settings is an example of an app running with this
+type.
+
+## priv_app
+Apps shipped as part of the device and installed in one of the
+`/{system,vendor,product}/priv-app` directories.
+com.google.android.apps.messaging is an example of an app running as priv_app.
+Permissions for these apps need to be explicitly granted, see
+https://source.android.com/docs/core/permissions/perms-allowlist for more
+details.
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 9aa510b..053e36a 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -11,9 +11,6 @@
},
{
"include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
- },
- {
- "include-filter": "android.security.cts.SeamendcHostTest"
}
]
}
diff --git a/apex/Android.bp b/apex/Android.bp
index c2a006b..04fd5f6 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -24,11 +24,6 @@
// TODO(b/236681553): Remove com.android.bluetooth-file_contexts
filegroup {
- name: "apex_file_contexts_files",
- srcs: ["*-file_contexts"],
-}
-
-filegroup {
name: "apex.test-file_contexts",
srcs: [
"apex.test-file_contexts",
@@ -92,6 +87,13 @@
}
filegroup {
+ name: "com.android.crashrecovery-file_contexts",
+ srcs: [
+ "com.android.crashrecovery-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.federatedcompute-file_contexts",
srcs: [
"com.android.federatedcompute-file_contexts",
@@ -190,13 +192,6 @@
}
filegroup {
- name: "com.android.sepolicy-file_contexts",
- srcs: [
- "com.android.sepolicy-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.tzdata-file_contexts",
srcs: [
"com.android.tzdata-file_contexts",
@@ -210,11 +205,10 @@
],
}
-filegroup {
+file_contexts {
name: "com.android.virt-file_contexts",
- srcs: [
- "com.android.virt-file_contexts",
- ],
+ defaults: ["contexts_flags_defaults"],
+ srcs: ["com.android.virt-file_contexts"],
}
filegroup {
diff --git a/apex/com.android.crashrecovery-file_contexts b/apex/com.android.crashrecovery-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.crashrecovery-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.nfcservices-file_contexts b/apex/com.android.nfcservices-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.nfcservices-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.sepolicy-file_contexts b/apex/com.android.sepolicy-file_contexts
deleted file mode 100644
index 83b4b58..0000000
--- a/apex/com.android.sepolicy-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index af366d8..473b0f2 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1,3 +1,5 @@
(/.*)? u:object_r:system_file:s0
/bin/for-system/clatd u:object_r:clatd_exec:s0
+/bin/netbpfload u:object_r:bpfloader_exec:s0
+/bin/ot-daemon u:object_r:ot_daemon_exec:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index afe9f51..78720aa 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -3,4 +3,6 @@
/bin/fd_server u:object_r:fd_server_exec:s0
/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
-/bin/vfio_handler u:object_r:vfio_handler_exec:s0
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ /bin/vfio_handler u:object_r:vfio_handler_exec:s0
+')
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 83b31b4..0abfdf6 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -35,6 +35,7 @@
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
+ "flags.go",
"mac_permissions.go",
"policy.go",
"selinux.go",
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index ed92f1a..a15c65c 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -16,6 +16,7 @@
import (
"fmt"
+ "path"
"path/filepath"
"strings"
@@ -103,30 +104,15 @@
b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
- if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
- // vendor uses the same source with plat policy
- b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
- b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
- b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
- b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
- b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
- b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
- b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
- b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
- } else {
- // use vendor-supplied plat prebuilts
- b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
- b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
- b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
- b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
- b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
- b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
- b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
- b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
+ prebuilt_directories, err := ctx.GlobWithDeps("system/sepolicy/prebuilts/api/*", nil)
+ if err != nil {
+ ctx.ModuleErrorf("error while globbing: %w", err)
+ return
}
// directories used for compat tests and Treble tests
- for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ for _, dir := range prebuilt_directories {
+ ver := path.Base(dir)
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))
b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "private"))
b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index c9daf7c..eb7cb06 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -20,7 +20,6 @@
import (
"android/soong/android"
"fmt"
- "io"
"github.com/google/blueprint"
"github.com/google/blueprint/proptools"
@@ -67,18 +66,21 @@
Bottom_half []string `android:"path"`
// name of the output
Stem *string
+ // Target version that this module supports. This module will be ignored if platform sepolicy
+ // version is same as this module's version.
+ Version *string
}
type cilCompatMap struct {
android.ModuleBase
properties cilCompatMapProperties
// (.intermediate) module output path as installation source.
- installSource android.Path
+ installSource android.OptionalPath
installPath android.InstallPath
}
type CilCompatMapGenerator interface {
- GeneratedMapFile() android.Path
+ GeneratedMapFile() android.OptionalPath
}
func expandTopHalf(ctx android.ModuleContext) android.OptionalPath {
@@ -87,7 +89,7 @@
depTag := ctx.OtherModuleDependencyTag(dep)
switch depTag {
case TopHalfDepTag:
- topHalf = android.OptionalPathForPath(dep.(CilCompatMapGenerator).GeneratedMapFile())
+ topHalf = dep.(CilCompatMapGenerator).GeneratedMapFile()
}
})
return topHalf
@@ -97,7 +99,15 @@
return android.PathsForModuleSrc(ctx, srcFiles)
}
+func (c *cilCompatMap) shouldSkipBuild(ctx android.ModuleContext) bool {
+ return proptools.String(c.properties.Version) == ctx.DeviceConfig().PlatformSepolicyVersion()
+}
+
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if c.shouldSkipBuild(ctx) {
+ return
+ }
+
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
srcFiles := expandSeSources(ctx, c.properties.Bottom_half)
@@ -130,9 +140,9 @@
"bottomHalf": bottomHalf.String(),
},
})
- c.installSource = out
+ c.installSource = android.OptionalPathForPath(out)
} else {
- c.installSource = bottomHalf
+ c.installSource = android.OptionalPathForPath(bottomHalf)
}
}
@@ -142,30 +152,38 @@
}
}
-func (c *cilCompatMap) AndroidMk() android.AndroidMkData {
- ret := android.AndroidMkData{
- OutputFile: android.OptionalPathForPath(c.installSource),
- Class: "ETC",
+func (c *cilCompatMap) AndroidMkEntries() []android.AndroidMkEntries {
+ if !c.installSource.Valid() {
+ return nil
}
- ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.String())
- if c.properties.Stem != nil {
- fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
- }
- })
- return ret
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: c.installSource,
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
+ if c.properties.Stem != nil {
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", String(c.properties.Stem))
+ }
+ },
+ },
+ }}
}
var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
var _ android.OutputFileProducer = (*cilCompatMap)(nil)
-func (c *cilCompatMap) GeneratedMapFile() android.Path {
+func (c *cilCompatMap) GeneratedMapFile() android.OptionalPath {
return c.installSource
}
func (c *cilCompatMap) OutputFiles(tag string) (android.Paths, error) {
if tag == "" {
- return android.Paths{c.installSource}, nil
+ if c.installSource.Valid() {
+ return android.Paths{c.installSource.Path()}, nil
+ } else {
+ return nil, nil
+ }
}
return nil, fmt.Errorf("Unknown tag %q", tag)
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index afd2396..baad413 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -29,7 +29,7 @@
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
- ctx.RegisterSingletonModuleType("se_compat_test", compatTestFactory)
+ ctx.RegisterParallelSingletonModuleType("se_compat_test", compatTestFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
@@ -43,7 +43,7 @@
type compatCil struct {
android.ModuleBase
properties compatCilProperties
- installSource android.Path
+ installSource android.OptionalPath
installPath android.InstallPath
}
@@ -53,6 +53,10 @@
// Output file name. Defaults to module name if unspecified.
Stem *string
+
+ // Target version that this module supports. This module will be ignored if platform sepolicy
+ // version is same as this module's version.
+ Version *string
}
func (c *compatCil) stem() string {
@@ -63,11 +67,19 @@
return android.PathsForModuleSrc(ctx, c.properties.Srcs)
}
+func (c *compatCil) shouldSkipBuild(ctx android.ModuleContext) bool {
+ return proptools.String(c.properties.Version) == ctx.DeviceConfig().PlatformSepolicyVersion()
+}
+
func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if c.ProductSpecific() || c.SocSpecific() || c.DeviceSpecific() {
ctx.ModuleErrorf("Compat cil files only support system and system_ext partitions")
}
+ if c.shouldSkipBuild(ctx) {
+ return
+ }
+
srcPaths := c.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, c.Name())
ctx.Build(pctx, android.BuildParams{
@@ -78,14 +90,17 @@
})
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
- c.installSource = out
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+ c.installSource = android.OptionalPathForPath(out)
+ ctx.InstallFile(c.installPath, c.stem(), out)
}
func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
+ if !c.installSource.Valid() {
+ return nil
+ }
return []android.AndroidMkEntries{android.AndroidMkEntries{
Class: "ETC",
- OutputFile: android.OptionalPathForPath(c.installSource),
+ OutputFile: c.installSource,
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
@@ -98,7 +113,11 @@
func (c *compatCil) OutputFiles(tag string) (android.Paths, error) {
switch tag {
case "":
- return android.Paths{c.installSource}, nil
+ if c.installSource.Valid() {
+ return android.Paths{c.installSource.Path()}, nil
+ } else {
+ return nil, nil
+ }
default:
return nil, fmt.Errorf("unsupported module reference tag %q", tag)
}
@@ -110,6 +129,7 @@
// current policy.
func compatTestFactory() android.SingletonModule {
f := &compatTestModule{}
+ f.AddProperties(&f.properties)
android.InitAndroidModule(f)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
@@ -119,6 +139,10 @@
type compatTestModule struct {
android.SingletonModuleBase
+ properties struct {
+ // Default modules for conf
+ Defaults []string
+ }
compatTestTimestamp android.ModuleOutPath
}
@@ -138,6 +162,10 @@
":se_build_files{.reqd_mask}",
},
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: f.properties.Defaults,
})
ctx.CreateModule(policyCilFactory, &nameProperties{
diff --git a/build/soong/flags.go b/build/soong/flags.go
new file mode 100644
index 0000000..b1aebac
--- /dev/null
+++ b/build/soong/flags.go
@@ -0,0 +1,54 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "android/soong/android"
+)
+
+type flagsProperties struct {
+ // List of flags to be passed to M4 macro.
+ Flags []string
+}
+
+type flaggableModule interface {
+ android.Module
+ flagModuleBase() *flaggableModuleBase
+ getBuildFlags(ctx android.ModuleContext) map[string]string
+}
+
+type flaggableModuleBase struct {
+ properties flagsProperties
+}
+
+func initFlaggableModule(m flaggableModule) {
+ base := m.flagModuleBase()
+ m.AddProperties(&base.properties)
+}
+
+func (f *flaggableModuleBase) flagModuleBase() *flaggableModuleBase {
+ return f
+}
+
+// getBuildFlags returns a map from flag names to flag values.
+func (f *flaggableModuleBase) getBuildFlags(ctx android.ModuleContext) map[string]string {
+ ret := make(map[string]string)
+ for _, flag := range android.SortedUniqueStrings(f.properties.Flags) {
+ if val, ok := ctx.Config().GetBuildFlag(flag); ok {
+ ret[flag] = val
+ }
+ }
+ return ret
+}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index aea8e09..9d87275 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -27,7 +27,6 @@
)
const (
- // TODO: sync with Android.mk
MlsSens = 1
MlsCats = 1024
PolicyVers = 30
@@ -59,6 +58,7 @@
func init() {
android.RegisterModuleType("se_policy_conf", policyConfFactory)
+ android.RegisterModuleType("se_policy_conf_defaults", policyConfDefaultFactory)
android.RegisterModuleType("se_policy_cil", policyCilFactory)
android.RegisterModuleType("se_policy_binary", policyBinaryFactory)
}
@@ -94,6 +94,8 @@
type policyConf struct {
android.ModuleBase
+ android.DefaultableModuleBase
+ flaggableModuleBase
properties policyConfProperties
@@ -101,12 +103,35 @@
installPath android.InstallPath
}
+var _ flaggableModule = (*policyConf)(nil)
+
// se_policy_conf merges collection of policy files into a policy.conf file to be processed by
// checkpolicy.
func policyConfFactory() android.Module {
c := &policyConf{}
c.AddProperties(&c.properties)
+ initFlaggableModule(c)
android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ android.InitDefaultableModule(c)
+ return c
+}
+
+type policyConfDefaults struct {
+ android.ModuleBase
+ android.DefaultsModuleBase
+}
+
+// se_policy_conf_defaults provides a set of properties that can be inherited by other
+// se_policy_conf_defaults modules. A module can use the properties from a se_policy_conf_defaults
+// using `defaults: ["<:default_module_name>"]`. Properties of both modules are merged (when
+// possible) by prepending the default module's values to the depending module's values.
+func policyConfDefaultFactory() android.Module {
+ c := &policyConfDefaults{}
+ c.AddProperties(
+ &policyConfProperties{},
+ &flagsProperties{},
+ )
+ android.InitDefaultsModule(c)
return c
}
@@ -151,7 +176,7 @@
if c.isTargetRecovery() {
return "false"
}
- return strconv.FormatBool(ctx.DeviceConfig().SepolicySplit())
+ return strconv.FormatBool(true)
}
func (c *policyConf) compatibleProperty(ctx android.ModuleContext) string {
@@ -209,7 +234,7 @@
}
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
- conf := android.PathForModuleOut(ctx, c.stem()).OutputPath
+ conf := pathForModuleOut(ctx, c.stem())
rule := android.NewRuleBuilder(pctx, ctx)
srcs := android.PathsForModuleSrc(ctx, c.properties.Srcs)
@@ -217,6 +242,7 @@
return findPolicyConfOrder(srcs[x].Base()) < findPolicyConfOrder(srcs[y].Base())
})
+ flags := c.getBuildFlags(ctx)
rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Flag("--fatal-warnings").
FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
@@ -235,6 +261,7 @@
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
+ Flags(flagsToM4Macros(flags)).
Flag("-s").
Inputs(srcs).
Text("> ").Output(conf)
@@ -243,10 +270,6 @@
return conf
}
-func (c *policyConf) DepsMutator(ctx android.BottomUpMutatorContext) {
- // do nothing
-}
-
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if !c.installable() {
c.SkipInstall()
@@ -340,7 +363,7 @@
}
func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
- cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
+ cil := pathForModuleOut(ctx, c.stem())
rule := android.NewRuleBuilder(pctx, ctx)
checkpolicyCmd := rule.Command().BuiltTool("checkpolicy").
Flag("-C"). // Write CIL
@@ -496,7 +519,7 @@
ctx.PropertyErrorf("srcs", "must be specified")
return
}
- bin := android.PathForModuleOut(ctx, c.stem()+"_policy")
+ bin := pathForModuleOut(ctx, c.stem()+"_policy")
rule := android.NewRuleBuilder(pctx, ctx)
secilcCmd := rule.Command().BuiltTool("secilc").
Flag("-m"). // Multiple decls
@@ -514,7 +537,7 @@
// permissive check is performed only in user build (not debuggable).
if !ctx.Config().Debuggable() {
- permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
+ permissiveDomains := pathForModuleOut(ctx, c.stem()+"_permissive")
cmd := rule.Command().BuiltTool("sepolicy-analyze").
Input(bin).
Text("permissive")
@@ -544,7 +567,7 @@
Text("; exit 1; fi")
}
- out := android.PathForModuleOut(ctx, c.stem())
+ out := pathForModuleOut(ctx, c.stem())
rule.Command().Text("cp").
Flag("-f").
Input(bin).
diff --git a/build/soong/selinux.go b/build/soong/selinux.go
index 7ad4776..f811231 100644
--- a/build/soong/selinux.go
+++ b/build/soong/selinux.go
@@ -28,3 +28,25 @@
var (
pctx = android.NewPackageContext("android/soong/selinux")
)
+
+// pathForModuleOut is same as android.PathForModuleOut, except that it uses DeviceName() as its
+// intermediate directory name for system_ext/product/vendor/odm modules, to avoid rebuilding upon
+// target change. Contents of system modules (core sepolicy) should be identical across devices, so
+// they falls back to android.PathForModuleOut.
+func pathForModuleOut(ctx android.ModuleContext, paths ...string) android.OutputPath {
+ if ctx.Platform() && !ctx.InstallInRecovery() {
+ return android.PathForModuleOut(ctx, paths...).OutputPath
+ }
+
+ return android.PathForModuleOut(ctx, ctx.Config().DeviceName()).Join(ctx, paths...)
+}
+
+// flagsToM4Macros converts given map to a list of M4's -D parameters to guard te files and contexts
+// files.
+func flagsToM4Macros(flags map[string]string) []string {
+ flagMacros := []string{}
+ for _, flag := range android.SortedKeys(flags) {
+ flagMacros = append(flagMacros, "-D target_flag_"+flag+"="+flags[flag])
+ }
+ return flagMacros
+}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 7faafc6..5cc9c70 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -17,8 +17,6 @@
import (
"fmt"
"io"
- "os"
- "strings"
"github.com/google/blueprint"
"github.com/google/blueprint/proptools"
@@ -50,15 +48,6 @@
Recovery_available *bool
}
-type fileContextsProperties struct {
- // flatten_apex can be used to specify additional sources of file_contexts.
- // Apex paths, /system/apex/{apex_name}, will be amended to the paths of file_contexts
- // entries.
- Flatten_apex struct {
- Srcs []string `android:"path"`
- }
-}
-
type seappProperties struct {
// Files containing neverallow rules.
Neverallow_files []string `android:"path"`
@@ -69,16 +58,19 @@
type selinuxContextsModule struct {
android.ModuleBase
+ android.DefaultableModuleBase
+ flaggableModuleBase
- properties selinuxContextsProperties
- fileContextsProperties fileContextsProperties
- seappProperties seappProperties
- build func(ctx android.ModuleContext, inputs android.Paths) android.Path
- deps func(ctx android.BottomUpMutatorContext)
- outputPath android.Path
- installPath android.InstallPath
+ properties selinuxContextsProperties
+ seappProperties seappProperties
+ build func(ctx android.ModuleContext, inputs android.Paths) android.Path
+ deps func(ctx android.BottomUpMutatorContext)
+ outputPath android.Path
+ installPath android.InstallPath
}
+var _ flaggableModule = (*selinuxContextsModule)(nil)
+
var (
reuseContextsDepTag = dependencyTag{name: "reuseContexts"}
syspropLibraryDepTag = dependencyTag{name: "sysprop_library"}
@@ -87,6 +79,7 @@
func init() {
pctx.HostBinToolVariable("fc_sort", "fc_sort")
+ android.RegisterModuleType("contexts_defaults", contextsDefaultsFactory)
android.RegisterModuleType("file_contexts", fileFactory)
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
android.RegisterModuleType("property_contexts", propertyFactory)
@@ -164,16 +157,37 @@
m := &selinuxContextsModule{}
m.AddProperties(
&m.properties,
- &m.fileContextsProperties,
&m.seappProperties,
)
+ initFlaggableModule(m)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ android.InitDefaultableModule(m)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
m.selinuxContextsHook(ctx)
})
return m
}
+type contextsDefaults struct {
+ android.ModuleBase
+ android.DefaultsModuleBase
+}
+
+// contexts_defaults provides a set of properties that can be inherited by other contexts modules.
+// (file_contexts, property_contexts, seapp_contexts, etc.) A module can use the properties from a
+// contexts_defaults using `defaults: ["<:default_module_name>"]`. Properties of both modules are
+// erged (when possible) by prepending the default module's values to the depending module's values.
+func contextsDefaultsFactory() android.Module {
+ m := &contextsDefaults{}
+ m.AddProperties(
+ &selinuxContextsProperties{},
+ &seappProperties{},
+ &flagsProperties{},
+ )
+ android.InitDefaultsModule(m)
+ return m
+}
+
func (m *selinuxContextsModule) selinuxContextsHook(ctx android.LoadHookContext) {
// TODO: clean this up to use build/soong/android/variable.go after b/79249983
var srcs []string
@@ -243,11 +257,11 @@
var _ android.ImageInterface = (*selinuxContextsModule)(nil)
func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- builtContext := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
+ builtContext := pathForModuleOut(ctx, ctx.ModuleName()+"_m4out")
rule := android.NewRuleBuilder(pctx, ctx)
- newlineFile := android.PathForModuleGen(ctx, "newline")
+ newlineFile := pathForModuleOut(ctx, "newline")
rule.Command().Text("echo").FlagWithOutput("> ", newlineFile)
rule.Temporary(newlineFile)
@@ -257,17 +271,19 @@
inputsWithNewline = append(inputsWithNewline, input, newlineFile)
}
+ flags := m.getBuildFlags(ctx)
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Flags(flagsToM4Macros(flags)).
Inputs(inputsWithNewline).
FlagWithOutput("> ", builtContext)
if proptools.Bool(m.properties.Remove_comment) {
rule.Temporary(builtContext)
- remove_comment_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_remove_comment")
+ remove_comment_output := pathForModuleOut(ctx, ctx.ModuleName()+"_remove_comment")
rule.Command().
Text("sed -e 's/#.*$//' -e '/^$/d'").
@@ -280,7 +296,7 @@
if proptools.Bool(m.properties.Fc_sort) {
rule.Temporary(builtContext)
- sorted_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_sorted")
+ sorted_output := pathForModuleOut(ctx, ctx.ModuleName()+"_sorted")
rule.Command().
Tool(ctx.Config().HostToolPath(ctx, "fc_sort")).
@@ -290,7 +306,7 @@
builtContext = sorted_output
}
- ret := android.PathForModuleGen(ctx, m.stem())
+ ret := pathForModuleOut(ctx, m.stem())
rule.Temporary(builtContext)
rule.Command().Text("cp").Input(builtContext).Output(ret)
@@ -301,29 +317,9 @@
}
func (m *selinuxContextsModule) buildFileContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- if m.properties.Fc_sort == nil {
- m.properties.Fc_sort = proptools.BoolPtr(true)
+ if m.properties.Remove_comment == nil {
+ m.properties.Remove_comment = proptools.BoolPtr(true)
}
-
- rule := android.NewRuleBuilder(pctx, ctx)
-
- if ctx.Config().FlattenApex() {
- for _, path := range android.PathsForModuleSrc(ctx, m.fileContextsProperties.Flatten_apex.Srcs) {
- out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
- apex_path := "/system/apex/" + strings.Replace(
- strings.TrimSuffix(path.Base(), "-file_contexts"),
- ".", "\\\\.", -1)
-
- rule.Command().
- Text("awk '/object_r/{printf(\""+apex_path+"%s\\n\",$0)}'").
- Input(path).
- FlagWithOutput("> ", out)
-
- inputs = append(inputs, out)
- }
- }
-
- rule.Build(m.Name(), "flattened_apex_file_contexts")
return m.buildGeneralContexts(ctx, inputs)
}
@@ -341,7 +337,7 @@
return m.buildGeneralContexts(ctx, inputs)
}
-func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
+func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, input android.Path) android.Path {
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
@@ -382,37 +378,33 @@
}
}
- var ret android.Paths
- for _, input := range inputs {
- cmd := rule.Command().
- BuiltTool("check_prop_prefix").
- FlagWithInput("--property-contexts ", input).
- FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
- FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
+ cmd := rule.Command().
+ BuiltTool("check_prop_prefix").
+ FlagWithInput("--property-contexts ", input).
+ FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
+ FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
- if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
- cmd.Flag("--strict")
- }
-
- out := android.PathForModuleGen(ctx, "namespace_checked").Join(ctx, input.String())
- rule.Command().Text("cp -f").Input(input).Output(out)
- ret = append(ret, out)
+ if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
+ cmd.Flag("--strict")
}
+
+ out := pathForModuleOut(ctx, ctx.ModuleName()+"_namespace_checked")
+ rule.Command().Text("cp -f").Input(input).Output(out)
rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
- return ret
+ return out
}
func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
// vendor/odm properties are enforced for devices launching with Android Q or later. So, if
// vendor/odm, make sure that only vendor/odm properties exist.
+ builtCtxFile := m.buildGeneralContexts(ctx, inputs)
+
shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
- inputs = m.checkVendorPropertyNamespace(ctx, inputs)
+ builtCtxFile = m.checkVendorPropertyNamespace(ctx, builtCtxFile)
}
- builtCtxFile := m.buildGeneralContexts(ctx, inputs)
-
var apiFiles android.Paths
ctx.VisitDirectDepsWithTag(syspropLibraryDepTag, func(c android.Module) {
i, ok := c.(interface{ CurrentSyspropApiFile() android.OptionalPath })
@@ -426,7 +418,7 @@
// check compatibility with sysprop_library
if len(apiFiles) > 0 {
- out := android.PathForModuleGen(ctx, ctx.ModuleName()+"_api_checked")
+ out := pathForModuleOut(ctx, ctx.ModuleName()+"_api_checked")
rule := android.NewRuleBuilder(pctx, ctx)
msg := `\n******************************\n` +
@@ -451,27 +443,55 @@
return builtCtxFile
}
-func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- neverallowFile := android.PathForModuleGen(ctx, "neverallow")
- ret := android.PathForModuleGen(ctx, m.stem())
+func (m *selinuxContextsModule) shouldCheckCoredomain(ctx android.ModuleContext) bool {
+ if !ctx.SocSpecific() && !ctx.DeviceSpecific() {
+ return false
+ }
+ return ctx.DeviceConfig().CheckVendorSeappViolations()
+}
+
+func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+ neverallowFile := pathForModuleOut(ctx, "neverallow")
+ ret := pathForModuleOut(ctx, "checkseapp", m.stem())
+
+ // Step 1. Generate a M4 processed neverallow file
+ flags := m.getBuildFlags(ctx)
+ m4NeverallowFile := pathForModuleOut(ctx, "neverallow.m4out")
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Text("(grep").
+ rule.Command().
+ Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+ Flag("--fatal-warnings").
+ FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+ Flags(flagsToM4Macros(flags)).
+ Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
+ FlagWithOutput("> ", m4NeverallowFile)
+
+ rule.Temporary(m4NeverallowFile)
+ rule.Command().
+ Text("( grep").
Flag("-ihe").
Text("'^neverallow'").
- Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
- Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
+ Input(m4NeverallowFile).
Text(">").
Output(neverallowFile).
- Text("|| true)") // to make ninja happy even when result is empty
+ Text("|| true )") // to make ninja happy even when result is empty
+ // Step 2. Generate a M4 processed contexts file
+ builtCtx := m.buildGeneralContexts(ctx, inputs)
+
+ // Step 3. checkseapp
rule.Temporary(neverallowFile)
- rule.Command().BuiltTool("checkseapp").
+ checkCmd := rule.Command().BuiltTool("checkseapp").
FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
FlagWithOutput("-o ", ret).
- Inputs(inputs).
+ Input(builtCtx).
Input(neverallowFile)
+ if m.shouldCheckCoredomain(ctx) {
+ checkCmd.Flag("-c") // check coredomain for vendor contexts
+ }
+
rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
return ret
}
@@ -537,19 +557,32 @@
Sepolicy *string `android:"path"`
}
+type fileContextsTestProperties struct {
+ // Test data. File passed to `checkfc -t` to validate how contexts are resolved.
+ Test_data *string `android:"path"`
+}
+
type contextsTestModule struct {
android.ModuleBase
- // Name of the test tool. "checkfc" or "property_info_checker"
- tool string
+ // The type of context.
+ context contextType
- // Additional flags to be passed to the tool.
- flags []string
-
- properties contextsTestProperties
- testTimestamp android.ModuleOutPath
+ properties contextsTestProperties
+ fileProperties fileContextsTestProperties
+ testTimestamp android.OutputPath
}
+type contextType int
+
+const (
+ FileContext contextType = iota
+ PropertyContext
+ ServiceContext
+ HwServiceContext
+ VndServiceContext
+)
+
// checkfc parses a context file and checks for syntax errors.
// If -s is specified, the service backend is used to verify binder services.
// If -l is specified, the service backend is used to verify hwbinder services.
@@ -558,15 +591,16 @@
// file_contexts_test tests given file_contexts files with checkfc.
func fileContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc" /* no flags: file_contexts file check */}
+ m := &contextsTestModule{context: FileContext}
m.AddProperties(&m.properties)
+ m.AddProperties(&m.fileProperties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
}
// property_contexts_test tests given property_contexts files with property_info_checker.
func propertyContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "property_info_checker"}
+ m := &contextsTestModule{context: PropertyContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
@@ -574,7 +608,7 @@
// hwservice_contexts_test tests given hwservice_contexts files with checkfc.
func hwserviceContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-l" /* hwbinder services */}}
+ m := &contextsTestModule{context: HwServiceContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
@@ -583,7 +617,7 @@
// service_contexts_test tests given service_contexts files with checkfc.
func serviceContextsTestFactory() android.Module {
// checkfc -s: service_contexts test
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-s" /* binder services */}}
+ m := &contextsTestModule{context: ServiceContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
@@ -591,16 +625,16 @@
// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
func vndServiceContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
+ m := &contextsTestModule{context: VndServiceContext}
m.AddProperties(&m.properties)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
return m
}
func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- tool := m.tool
- if tool != "checkfc" && tool != "property_info_checker" {
- panic(fmt.Errorf("%q: unknown tool name: %q", ctx.ModuleName(), tool))
+ tool := "checkfc"
+ if m.context == PropertyContext {
+ tool = "property_info_checker"
}
if len(m.properties.Srcs) == 0 {
@@ -608,21 +642,52 @@
return
}
+ validateWithPolicy := true
if proptools.String(m.properties.Sepolicy) == "" {
- ctx.PropertyErrorf("sepolicy", "can't be empty")
- return
+ if m.context == FileContext {
+ if proptools.String(m.fileProperties.Test_data) == "" {
+ ctx.PropertyErrorf("test_data", "Either test_data or sepolicy should be provided")
+ return
+ }
+ validateWithPolicy = false
+ } else {
+ ctx.PropertyErrorf("sepolicy", "can't be empty")
+ return
+ }
+ }
+
+ flags := []string(nil)
+ switch m.context {
+ case FileContext:
+ if !validateWithPolicy {
+ flags = []string{"-t"}
+ }
+ case ServiceContext:
+ flags = []string{"-s" /* binder services */}
+ case HwServiceContext:
+ flags = []string{"-e" /* allow empty */, "-l" /* hwbinder services */}
+ case VndServiceContext:
+ flags = []string{"-e" /* allow empty */, "-v" /* vnd service */}
}
srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
- sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
-
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool(tool).
- Flags(m.flags).
- Input(sepolicy).
- Inputs(srcs)
- m.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
+ if validateWithPolicy {
+ sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
+ rule.Command().BuiltTool(tool).
+ Flags(flags).
+ Input(sepolicy).
+ Inputs(srcs)
+ } else {
+ test_data := android.PathForModuleSrc(ctx, proptools.String(m.fileProperties.Test_data))
+ rule.Command().BuiltTool(tool).
+ Flags(flags).
+ Inputs(srcs).
+ Input(test_data)
+ }
+
+ m.testTimestamp = pathForModuleOut(ctx, "timestamp")
rule.Command().Text("touch").Output(m.testTimestamp)
rule.Build("contexts_test", "running contexts test: "+ctx.ModuleName())
}
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index c5513d0..385d6af 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -15,15 +15,17 @@
package selinux
import (
- "path/filepath"
"sort"
"android/soong/android"
)
+var currentCilTag = dependencyTag{name: "current_cil"}
+var prebuiltCilTag = dependencyTag{name: "prebuilt_cil"}
+
func init() {
ctx := android.InitRegistrationContext
- ctx.RegisterSingletonModuleType("se_freeze_test", freezeTestFactory)
+ ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
}
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
@@ -32,6 +34,9 @@
func freezeTestFactory() android.SingletonModule {
f := &freezeTestModule{}
android.InitAndroidModule(f)
+ android.AddLoadHook(f, func(ctx android.LoadHookContext) {
+ f.loadHook(ctx)
+ })
return f
}
@@ -40,26 +45,23 @@
freezeTestTimestamp android.ModuleOutPath
}
-func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
-}
-
-func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+func (f *freezeTestModule) shouldSkip(ctx android.EarlyModuleContext) bool {
platformVersion := ctx.DeviceConfig().PlatformSepolicyVersion()
totVersion := ctx.DeviceConfig().TotSepolicyVersion()
+ return platformVersion == totVersion
+}
+
+func (f *freezeTestModule) loadHook(ctx android.LoadHookContext) {
extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
- f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
- if platformVersion == totVersion {
+ if f.shouldSkip(ctx) {
if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
return
}
- // we still build a rule to prevent possible regression
- android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
return
}
@@ -67,17 +69,80 @@
ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
return
}
+}
- platPublic := filepath.Join(ctx.ModuleDir(), "public")
- platPrivate := filepath.Join(ctx.ModuleDir(), "private")
- prebuiltPublic := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "public")
- prebuiltPrivate := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "private")
+func (f *freezeTestModule) prebuiltCilModuleName(ctx android.EarlyModuleContext) string {
+ return ctx.DeviceConfig().PlatformSepolicyVersion() + "_plat_pub_policy.cil"
+}
- sourceDirs := append(extraDirs, platPublic, platPrivate)
- prebuiltDirs := append(extraPrebuiltDirs, prebuiltPublic, prebuiltPrivate)
+func (f *freezeTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ if f.shouldSkip(ctx) {
+ return
+ }
+
+ ctx.AddDependency(f, currentCilTag, "base_plat_pub_policy.cil")
+ ctx.AddDependency(f, prebuiltCilTag, f.prebuiltCilModuleName(ctx))
+}
+
+func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
+ // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
+}
+
+func (f *freezeTestModule) outputFileOfDep(ctx android.ModuleContext, depTag dependencyTag) android.Path {
+ deps := ctx.GetDirectDepsWithTag(depTag)
+ if len(deps) != 1 {
+ ctx.ModuleErrorf("%d deps having tag %q; expected only one dep", len(deps), depTag)
+ return nil
+ }
+
+ dep := deps[0]
+ outputFileProducer, ok := dep.(android.OutputFileProducer)
+ if !ok {
+ ctx.ModuleErrorf("module %q is not an output file producer", dep.String())
+ return nil
+ }
+
+ output, err := outputFileProducer.OutputFiles("")
+ if err != nil {
+ ctx.ModuleErrorf("module %q failed to produce output: %w", dep.String(), err)
+ return nil
+ }
+ if len(output) != 1 {
+ ctx.ModuleErrorf("module %q produced %d outputs; expected only one output", dep.String(), len(output))
+ return nil
+ }
+
+ return output[0]
+}
+
+func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
+
+ if f.shouldSkip(ctx) {
+ // we still build a rule to prevent possible regression
+ android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
+ return
+ }
+
+ // Freeze test 1: compare ToT sepolicy and prebuilt sepolicy
+ currentCil := f.outputFileOfDep(ctx, currentCilTag)
+ prebuiltCil := f.outputFileOfDep(ctx, prebuiltCilTag)
+ if ctx.Failed() {
+ return
+ }
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().BuiltTool("sepolicy_freeze_test").
+ FlagWithInput("-c ", currentCil).
+ FlagWithInput("-p ", prebuiltCil)
+
+ // Freeze test 2: compare extra directories
+ // We don't know the exact structure of extra directories, so just directly compare them
+ extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
+ extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
var implicits []string
- for _, dir := range append(sourceDirs, prebuiltDirs...) {
+ for _, dir := range append(extraDirs, extraPrebuiltDirs...) {
glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
if err != nil {
ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
@@ -87,15 +152,13 @@
}
sort.Strings(implicits)
- rule := android.NewRuleBuilder(pctx, ctx)
-
- for idx, _ := range sourceDirs {
+ for idx, _ := range extraDirs {
rule.Command().Text("diff").
Flag("-r").
Flag("-q").
FlagWithArg("-x ", "bug_map"). // exclude
- Text(sourceDirs[idx]).
- Text(prebuiltDirs[idx])
+ Text(extraDirs[idx]).
+ Text(extraPrebuiltDirs[idx])
}
rule.Command().Text("touch").
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index 98dd3cf..6e159e9 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -29,6 +29,9 @@
}
type neverallowTestProperties struct {
+ // Default modules for conf
+ Defaults []string
+
// Policy files to be tested.
Srcs []string `android:"path"`
}
@@ -36,7 +39,7 @@
type neverallowTestModule struct {
android.ModuleBase
properties neverallowTestProperties
- testTimestamp android.ModuleOutPath
+ testTimestamp android.OutputPath
}
type nameProperties struct {
@@ -79,6 +82,10 @@
Srcs: n.properties.Srcs,
Build_variant: proptools.StringPtr("user"),
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: n.properties.Defaults,
})
sepolicyAnalyzeConf := n.sepolicyAnalyzeConfModuleName()
@@ -89,6 +96,10 @@
Build_variant: proptools.StringPtr("user"),
Exclude_build_test: proptools.BoolPtr(true),
Installable: proptools.BoolPtr(false),
+ }, &struct {
+ Defaults []string
+ }{
+ Defaults: n.properties.Defaults,
})
}
@@ -98,7 +109,7 @@
}
func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- n.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
+ n.testTimestamp = pathForModuleOut(ctx, "timestamp")
if ctx.Config().SelinuxIgnoreNeverallows() {
// just touch
android.WriteFileRule(ctx, n.testTimestamp, "")
@@ -146,7 +157,7 @@
rule := android.NewRuleBuilder(pctx, ctx)
// Step 1. Build a binary policy from the conf file including build test
- binaryPolicy := android.PathForModuleOut(ctx, "policy")
+ binaryPolicy := pathForModuleOut(ctx, "policy")
rule.Command().BuiltTool("checkpolicy").
Flag("-M").
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 1e7b663..48a3890 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -51,7 +51,10 @@
"android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
+ "android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
"android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
"android.hardware.contexthub.IContextHub/default": EXCEPTION_NO_FUZZER,
@@ -69,6 +72,9 @@
"android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.macsec.IMacsecPskPlugin/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
"android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
"android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
@@ -111,15 +117,19 @@
"android.hardware.secure_element.ISecureElement/SIM1": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM2": EXCEPTION_NO_FUZZER,
"android.hardware.secure_element.ISecureElement/SIM3": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure": []string{"android.hardware.authgraph-service.nonsecure_fuzzer"},
"android.hardware.security.dice.IDiceDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IKeyMintDevice/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure": EXCEPTION_NO_FUZZER,
"android.hardware.security.secureclock.ISecureClock/default": EXCEPTION_NO_FUZZER,
"android.hardware.security.sharedsecret.ISharedSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.sensors.ISensors/default": EXCEPTION_NO_FUZZER,
"android.hardware.soundtrigger3.ISoundTriggerHw/default": EXCEPTION_NO_FUZZER,
"android.hardware.tetheroffload.IOffload/default": EXCEPTION_NO_FUZZER,
"android.hardware.thermal.IThermal/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.threadnetwork.IThreadChip/chip0": []string{"android.hardware.threadnetwork-service.fuzzer"},
"android.hardware.tv.hdmi.cec.IHdmiCec/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.connection.IHdmiConnection/default": EXCEPTION_NO_FUZZER,
"android.hardware.tv.hdmi.earc.IEArc/default": EXCEPTION_NO_FUZZER,
@@ -138,6 +148,7 @@
"android.frameworks.location.altitude.IAltitudeService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.vibrator.IVibratorControlService/default": EXCEPTION_NO_FUZZER,
"android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
"android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
"android.system.net.netd.INetd/default": []string{"netd_hw_service_fuzzer"},
@@ -150,25 +161,27 @@
"adservices_manager": EXCEPTION_NO_FUZZER,
"aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
"aidl_lazy_test_2": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_quit": EXCEPTION_NO_FUZZER,
"aidl_lazy_cb_test": EXCEPTION_NO_FUZZER,
"alarm": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/default": EXCEPTION_NO_FUZZER,
- "android.os.UpdateEngineService": EXCEPTION_NO_FUZZER,
- "android.os.UpdateEngineStableService": EXCEPTION_NO_FUZZER,
+ "android.os.UpdateEngineService": []string{"update_engine_service_fuzzer"},
+ "android.os.UpdateEngineStableService": []string{"update_engine_service_fuzzer"},
"android.frameworks.automotive.display.ICarDisplayProxy/default": EXCEPTION_NO_FUZZER,
"android.security.apc": EXCEPTION_NO_FUZZER,
"android.security.authorization": []string{"authorization_service_fuzzer"},
"android.security.compat": EXCEPTION_NO_FUZZER,
"android.security.dice.IDiceMaintenance": EXCEPTION_NO_FUZZER,
"android.security.dice.IDiceNode": EXCEPTION_NO_FUZZER,
- "android.security.identity": EXCEPTION_NO_FUZZER,
+ "android.security.identity": []string{"credstore_service_fuzzer"},
"android.security.keystore": EXCEPTION_NO_FUZZER,
"android.security.legacykeystore": EXCEPTION_NO_FUZZER,
"android.security.maintenance": EXCEPTION_NO_FUZZER,
"android.security.metrics": EXCEPTION_NO_FUZZER,
- "android.service.gatekeeper.IGateKeeperService": EXCEPTION_NO_FUZZER,
+ "android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
"android.system.composd": EXCEPTION_NO_FUZZER,
// TODO(b/294158658): add fuzzer
+ "android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
@@ -178,6 +191,7 @@
"app_prediction": EXCEPTION_NO_FUZZER,
"app_search": EXCEPTION_NO_FUZZER,
"apexservice": EXCEPTION_NO_FUZZER,
+ "archive": EXCEPTION_NO_FUZZER,
"attestation_verification": EXCEPTION_NO_FUZZER,
"blob_store": EXCEPTION_NO_FUZZER,
"gsiservice": EXCEPTION_NO_FUZZER,
@@ -255,6 +269,7 @@
"face": EXCEPTION_NO_FUZZER,
"file_integrity": EXCEPTION_NO_FUZZER,
"fingerprint": EXCEPTION_NO_FUZZER,
+ "feature_flags": EXCEPTION_NO_FUZZER,
"font": EXCEPTION_NO_FUZZER,
"android.hardware.fingerprint.IFingerprintDaemon": EXCEPTION_NO_FUZZER,
"game": EXCEPTION_NO_FUZZER,
@@ -262,19 +277,19 @@
"gnss_time_update_service": EXCEPTION_NO_FUZZER,
"grammatical_inflection": EXCEPTION_NO_FUZZER,
"graphicsstats": EXCEPTION_NO_FUZZER,
- "gpu": EXCEPTION_NO_FUZZER,
+ "gpu": []string{"gpu_service_fuzzer"},
"hardware": EXCEPTION_NO_FUZZER,
"hardware_properties": EXCEPTION_NO_FUZZER,
"hdmi_control": EXCEPTION_NO_FUZZER,
"healthconnect": EXCEPTION_NO_FUZZER,
"ions": EXCEPTION_NO_FUZZER,
"idmap": EXCEPTION_NO_FUZZER,
- "incident": EXCEPTION_NO_FUZZER,
+ "incident": []string{"incidentd_service_fuzzer"},
"incidentcompanion": EXCEPTION_NO_FUZZER,
"inputflinger": EXCEPTION_NO_FUZZER,
"input_method": EXCEPTION_NO_FUZZER,
"input": EXCEPTION_NO_FUZZER,
- "installd": EXCEPTION_NO_FUZZER,
+ "installd": []string{"installd_service_fuzzer"},
"iphonesubinfo_msim": EXCEPTION_NO_FUZZER,
"iphonesubinfo2": EXCEPTION_NO_FUZZER,
"iphonesubinfo": EXCEPTION_NO_FUZZER,
@@ -300,16 +315,16 @@
"logd": EXCEPTION_NO_FUZZER,
"looper_stats": EXCEPTION_NO_FUZZER,
"lpdump_service": EXCEPTION_NO_FUZZER,
- "mdns": []string{"mdns_service_fuzzer"},
+ "mdns": EXCEPTION_NO_FUZZER,
"media.aaudio": EXCEPTION_NO_FUZZER,
- "media.audio_flinger": EXCEPTION_NO_FUZZER,
- "media.audio_policy": EXCEPTION_NO_FUZZER,
- "media.camera": EXCEPTION_NO_FUZZER,
+ "media.audio_flinger": []string{"audioflinger_aidl_fuzzer"},
+ "media.audio_policy": []string{"audiopolicy_aidl_fuzzer"},
+ "media.camera": []string{"camera_service_aidl_fuzzer"},
"media.camera.proxy": EXCEPTION_NO_FUZZER,
"media.log": EXCEPTION_NO_FUZZER,
- "media.player": EXCEPTION_NO_FUZZER,
- "media.metrics": EXCEPTION_NO_FUZZER,
- "media.extractor": EXCEPTION_NO_FUZZER,
+ "media.player": []string{"media_player_service_fuzzer"},
+ "media.metrics": []string{"mediametrics_aidl_fuzzer"},
+ "media.extractor": []string{"mediaextractor_service_fuzzer"},
"media.transcoding": EXCEPTION_NO_FUZZER,
"media.resource_manager": EXCEPTION_NO_FUZZER,
"media.resource_observer": EXCEPTION_NO_FUZZER,
@@ -340,6 +355,7 @@
"oem_lock": EXCEPTION_NO_FUZZER,
"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
"otadexopt": EXCEPTION_NO_FUZZER,
+ "ot_daemon": []string{"ot_daemon_service_fuzzer"},
"overlay": EXCEPTION_NO_FUZZER,
"pac_proxy": EXCEPTION_NO_FUZZER,
"package": EXCEPTION_NO_FUZZER,
@@ -367,6 +383,7 @@
"rcs": EXCEPTION_NO_FUZZER,
"reboot_readiness": EXCEPTION_NO_FUZZER,
"recovery": EXCEPTION_NO_FUZZER,
+ "remote_auth": EXCEPTION_NO_FUZZER,
"remote_provisioning": EXCEPTION_NO_FUZZER,
"resolver": EXCEPTION_NO_FUZZER,
"resources": EXCEPTION_NO_FUZZER,
@@ -383,6 +400,7 @@
"search": EXCEPTION_NO_FUZZER,
"search_ui": EXCEPTION_NO_FUZZER,
"secure_element": EXCEPTION_NO_FUZZER,
+ "security_state": EXCEPTION_NO_FUZZER,
"sec_key_att_app_id_provider": EXCEPTION_NO_FUZZER,
"selection_toolbar": EXCEPTION_NO_FUZZER,
"sensorservice": EXCEPTION_NO_FUZZER,
@@ -406,14 +424,14 @@
"soundtrigger": EXCEPTION_NO_FUZZER,
"soundtrigger_middleware": EXCEPTION_NO_FUZZER,
"statusbar": EXCEPTION_NO_FUZZER,
- "storaged": EXCEPTION_NO_FUZZER,
- "storaged_pri": EXCEPTION_NO_FUZZER,
+ "storaged": []string{"storaged_service_fuzzer"},
+ "storaged_pri": []string{"storaged_private_service_fuzzer"},
"storagestats": EXCEPTION_NO_FUZZER,
"sdk_sandbox": EXCEPTION_NO_FUZZER,
"SurfaceFlinger": EXCEPTION_NO_FUZZER,
"SurfaceFlingerAIDL": EXCEPTION_NO_FUZZER,
- "suspend_control": EXCEPTION_NO_FUZZER,
- "suspend_control_internal": EXCEPTION_NO_FUZZER,
+ "suspend_control": []string{"suspend_service_fuzzer"},
+ "suspend_control_internal": []string{"suspend_service_internal_fuzzer"},
"system_config": EXCEPTION_NO_FUZZER,
"system_server_dumper": EXCEPTION_NO_FUZZER,
"system_update": EXCEPTION_NO_FUZZER,
@@ -427,6 +445,7 @@
"textclassification": EXCEPTION_NO_FUZZER,
"textservices": EXCEPTION_NO_FUZZER,
"texttospeech": EXCEPTION_NO_FUZZER,
+ "thread_network": EXCEPTION_NO_FUZZER,
"time_detector": EXCEPTION_NO_FUZZER,
"time_zone_detector": EXCEPTION_NO_FUZZER,
"thermalservice": EXCEPTION_NO_FUZZER,
@@ -434,6 +453,7 @@
"translation": EXCEPTION_NO_FUZZER,
"transparency": EXCEPTION_NO_FUZZER,
"trust": EXCEPTION_NO_FUZZER,
+ "tv_ad": EXCEPTION_NO_FUZZER,
"tv_interactive_app": EXCEPTION_NO_FUZZER,
"tv_input": EXCEPTION_NO_FUZZER,
"tv_tuner_resource_mgr": EXCEPTION_NO_FUZZER,
@@ -449,6 +469,8 @@
"vibrator": EXCEPTION_NO_FUZZER,
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
+ "virtualdevice_native": EXCEPTION_NO_FUZZER,
+ "virtual_camera": EXCEPTION_NO_FUZZER,
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
"vold": []string{"vold_native_service_fuzzer"},
@@ -461,7 +483,7 @@
"wifip2p": EXCEPTION_NO_FUZZER,
"wifiscanner": EXCEPTION_NO_FUZZER,
"wifi": EXCEPTION_NO_FUZZER,
- "wifinl80211": EXCEPTION_NO_FUZZER,
+ "wifinl80211": []string{"wificond_service_fuzzer"},
"wifiaware": EXCEPTION_NO_FUZZER,
"wifirtt": EXCEPTION_NO_FUZZER,
"window": EXCEPTION_NO_FUZZER,
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index c316d2a..be396e3 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -103,7 +103,7 @@
stem = ctx.ModuleName()
}
- out := android.PathForModuleOut(ctx, stem)
+ out := pathForModuleOut(ctx, stem)
rule := android.NewRuleBuilder(pctx, ctx)
if proptools.String(m.properties.Base) == "" {
diff --git a/com.android.sepolicy/33/Android.bp b/com.android.sepolicy/33/Android.bp
deleted file mode 100644
index f3387ac..0000000
--- a/com.android.sepolicy/33/Android.bp
+++ /dev/null
@@ -1,56 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
-genrule {
- name: "apex_file_contexts-33.gen",
- defaults: ["sepolicy_file_contexts_gen_default"],
- srcs: ["file_contexts"],
- out: ["apex_file_contexts-33"],
-}
-
-prebuilt_etc {
- name: "apex_file_contexts-33",
- filename: "apex_file_contexts",
- src: ":apex_file_contexts-33.gen",
- installable: false,
-}
-
-prebuilt_etc {
- name: "apex_property_contexts-33",
- filename: "apex_property_contexts",
- src: "property_contexts",
- installable: false,
-}
-
-prebuilt_etc {
- name: "apex_service_contexts-33",
- filename: "apex_service_contexts",
- src: "service_contexts",
- installable: false,
-}
-
-prebuilt_etc {
- name: "apex_seapp_contexts-33",
- filename: "apex_seapp_contexts",
- src: "seapp_contexts",
- installable: false,
-}
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
deleted file mode 100644
index ffe4660..0000000
--- a/com.android.sepolicy/33/definitions/definitions.cil
+++ /dev/null
@@ -1,15 +0,0 @@
-; This file is required for sepolicy amend (go/seamendc).
-; The seamendc binary reads an amend SELinux policy as input in CIL format and applies its rules to
-; a binary SELinux policy. To parse the input correctly, we require the amend policy to be a valid
-; standalone policy. This file contains the preliminary statements(sid, sidorder, etc.) and
-; definitions (type, typeattribute, class, etc.) necessary to make the amend policy compile
-; successfully.
-(sid amend)
-(sidorder (amend))
-
-(classorder (file))
-
-;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
-(type shell)
-(type sepolicy_test_file)
-(class file (ioctl read getattr lock map open watch watch_reads))
diff --git a/com.android.sepolicy/33/file_contexts b/com.android.sepolicy/33/file_contexts
deleted file mode 100644
index 14f99f9..0000000
--- a/com.android.sepolicy/33/file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-/dev/selinux/apex_test u:object_r:sepolicy_test_file:s0
diff --git a/com.android.sepolicy/33/property_contexts b/com.android.sepolicy/33/property_contexts
deleted file mode 100644
index e69de29..0000000
--- a/com.android.sepolicy/33/property_contexts
+++ /dev/null
diff --git a/com.android.sepolicy/33/seapp_contexts b/com.android.sepolicy/33/seapp_contexts
deleted file mode 100644
index e69de29..0000000
--- a/com.android.sepolicy/33/seapp_contexts
+++ /dev/null
diff --git a/com.android.sepolicy/33/service_contexts b/com.android.sepolicy/33/service_contexts
deleted file mode 100644
index e69de29..0000000
--- a/com.android.sepolicy/33/service_contexts
+++ /dev/null
diff --git a/com.android.sepolicy/33/shell.te b/com.android.sepolicy/33/shell.te
deleted file mode 100644
index 757328e..0000000
--- a/com.android.sepolicy/33/shell.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow shell sepolicy_test_file:file r_file_perms;
-
diff --git a/com.android.sepolicy/Android.bp b/com.android.sepolicy/Android.bp
deleted file mode 100644
index 1e042f3..0000000
--- a/com.android.sepolicy/Android.bp
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
-genrule_defaults {
- name: "sepolicy_file_contexts_gen_default",
- tools: ["fc_sort"],
- cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
- "$(location fc_sort) -i $(out).tmp -o $(out)",
-}
diff --git a/compat/Android.bp b/compat/Android.bp
index 04a239e..2c6239f 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -133,6 +133,7 @@
stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map{.plat_private}"],
top_half: "plat_30.0.cil",
+ version: "29.0",
}
se_cil_compat_map {
@@ -140,6 +141,7 @@
stem: "30.0.cil",
bottom_half: [":30.0.board.compat.map{.plat_private}"],
top_half: "plat_31.0.cil",
+ version: "30.0",
}
se_cil_compat_map {
@@ -147,6 +149,7 @@
stem: "31.0.cil",
bottom_half: [":31.0.board.compat.map{.plat_private}"],
top_half: "plat_32.0.cil",
+ version: "31.0",
}
se_cil_compat_map {
@@ -154,12 +157,15 @@
stem: "32.0.cil",
bottom_half: [":32.0.board.compat.map{.plat_private}"],
top_half: "plat_33.0.cil",
+ version: "32.0",
}
se_cil_compat_map {
name: "plat_33.0.cil",
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.plat_private}"],
+ top_half: "plat_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -168,6 +174,7 @@
bottom_half: [":29.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_30.0.cil",
system_ext_specific: true,
+ version: "29.0",
}
se_cil_compat_map {
@@ -176,6 +183,7 @@
bottom_half: [":30.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_31.0.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -184,6 +192,7 @@
bottom_half: [":31.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_32.0.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -192,6 +201,7 @@
bottom_half: [":32.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_33.0.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -199,6 +209,8 @@
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.system_ext_private}"],
system_ext_specific: true,
+ top_half: "system_ext_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -207,6 +219,7 @@
bottom_half: [":29.0.board.compat.map{.product_private}"],
top_half: "product_30.0.cil",
product_specific: true,
+ version: "29.0",
}
se_cil_compat_map {
@@ -215,6 +228,7 @@
bottom_half: [":30.0.board.compat.map{.product_private}"],
top_half: "product_31.0.cil",
product_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -223,6 +237,7 @@
bottom_half: [":31.0.board.compat.map{.product_private}"],
top_half: "product_32.0.cil",
product_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -231,6 +246,7 @@
bottom_half: [":32.0.board.compat.map{.product_private}"],
top_half: "product_33.0.cil",
product_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -238,35 +254,43 @@
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.product_private}"],
product_specific: true,
+ top_half: "product_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
name: "29.0.ignore.cil",
bottom_half: [":29.0.board.ignore.map{.plat_private}"],
top_half: "30.0.ignore.cil",
+ version: "29.0",
}
se_cil_compat_map {
name: "30.0.ignore.cil",
bottom_half: [":30.0.board.ignore.map{.plat_private}"],
top_half: "31.0.ignore.cil",
+ version: "30.0",
}
se_cil_compat_map {
name: "31.0.ignore.cil",
bottom_half: [":31.0.board.ignore.map{.plat_private}"],
top_half: "32.0.ignore.cil",
+ version: "31.0",
}
se_cil_compat_map {
name: "32.0.ignore.cil",
bottom_half: [":32.0.board.ignore.map{.plat_private}"],
top_half: "33.0.ignore.cil",
+ version: "32.0",
}
se_cil_compat_map {
name: "33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.plat_private}"],
+ top_half: "34.0.ignore.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -274,6 +298,7 @@
bottom_half: [":30.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_31.0.ignore.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -281,6 +306,7 @@
bottom_half: [":31.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_32.0.ignore.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -288,12 +314,15 @@
bottom_half: [":32.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_33.0.ignore.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
name: "system_ext_33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.system_ext_private}"],
system_ext_specific: true,
+ top_half: "system_ext_34.0.ignore.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -301,6 +330,7 @@
bottom_half: [":30.0.board.ignore.map{.product_private}"],
top_half: "product_31.0.ignore.cil",
product_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -308,6 +338,7 @@
bottom_half: [":31.0.board.ignore.map{.product_private}"],
top_half: "product_32.0.ignore.cil",
product_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -315,37 +346,45 @@
bottom_half: [":32.0.board.ignore.map{.product_private}"],
top_half: "product_33.0.ignore.cil",
product_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
name: "product_33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.product_private}"],
product_specific: true,
+ top_half: "product_34.0.ignore.cil",
+ version: "33.0",
}
se_compat_cil {
name: "29.0.compat.cil",
srcs: [":29.0.board.compat.cil{.plat_private}"],
+ version: "29.0",
}
se_compat_cil {
name: "30.0.compat.cil",
srcs: [":30.0.board.compat.cil{.plat_private}"],
+ version: "30.0",
}
se_compat_cil {
name: "31.0.compat.cil",
srcs: [":31.0.board.compat.cil{.plat_private}"],
+ version: "31.0",
}
se_compat_cil {
name: "32.0.compat.cil",
srcs: [":32.0.board.compat.cil{.plat_private}"],
+ version: "32.0",
}
se_compat_cil {
name: "33.0.compat.cil",
srcs: [":33.0.board.compat.cil{.plat_private}"],
+ version: "33.0",
}
se_compat_cil {
@@ -353,6 +392,7 @@
srcs: [":29.0.board.compat.cil{.system_ext_private}"],
stem: "29.0.compat.cil",
system_ext_specific: true,
+ version: "29.0",
}
se_compat_cil {
@@ -360,6 +400,7 @@
srcs: [":30.0.board.compat.cil{.system_ext_private}"],
stem: "30.0.compat.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_compat_cil {
@@ -367,6 +408,7 @@
srcs: [":31.0.board.compat.cil{.system_ext_private}"],
stem: "31.0.compat.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_compat_cil {
@@ -374,6 +416,7 @@
srcs: [":32.0.board.compat.cil{.system_ext_private}"],
stem: "32.0.compat.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_compat_cil {
@@ -381,8 +424,84 @@
srcs: [":33.0.board.compat.cil{.system_ext_private}"],
stem: "33.0.compat.cil",
system_ext_specific: true,
+ version: "33.0",
}
se_compat_test {
name: "sepolicy_compat_test",
+ defaults: ["se_policy_conf_flags_defaults"],
+}
+
+se_build_files {
+ name: "34.0.board.compat.map",
+ srcs: ["compat/34.0/34.0.cil"],
+}
+
+se_build_files {
+ name: "34.0.board.compat.cil",
+ srcs: ["compat/34.0/34.0.compat.cil"],
+}
+
+se_build_files {
+ name: "34.0.board.ignore.map",
+ srcs: ["compat/34.0/34.0.ignore.cil"],
+}
+
+se_cil_compat_map {
+ name: "plat_34.0.cil",
+ stem: "34.0.cil",
+ bottom_half: [":34.0.board.compat.map{.plat_private}"],
+ version: "34.0",
+}
+
+se_cil_compat_map {
+ name: "system_ext_34.0.cil",
+ stem: "34.0.cil",
+ bottom_half: [":34.0.board.compat.map{.system_ext_private}"],
+ system_ext_specific: true,
+ version: "34.0",
+}
+
+se_cil_compat_map {
+ name: "product_34.0.cil",
+ stem: "34.0.cil",
+ bottom_half: [":34.0.board.compat.map{.product_private}"],
+ product_specific: true,
+ version: "34.0",
+}
+
+se_cil_compat_map {
+ name: "34.0.ignore.cil",
+ bottom_half: [":34.0.board.ignore.map{.plat_private}"],
+ version: "34.0",
+}
+
+se_cil_compat_map {
+ name: "system_ext_34.0.ignore.cil",
+ stem: "34.0.ignore.cil",
+ bottom_half: [":34.0.board.ignore.map{.system_ext_private}"],
+ system_ext_specific: true,
+ version: "34.0",
+}
+
+se_cil_compat_map {
+ name: "product_34.0.ignore.cil",
+ stem: "34.0.ignore.cil",
+ bottom_half: [":34.0.board.ignore.map{.product_private}"],
+ product_specific: true,
+ version: "34.0",
+}
+
+se_compat_cil {
+ name: "34.0.compat.cil",
+ srcs: [":34.0.board.compat.cil{.plat_private}"],
+ version: "34.0",
+}
+
+se_compat_cil {
+ name: "system_ext_34.0.compat.cil",
+ stem: "34.0.compat.cil",
+ srcs: [":34.0.board.compat.cil{.system_ext_private}"],
+ system_ext_specific: true,
+ version: "34.0",
}
diff --git a/contexts/Android.bp b/contexts/Android.bp
index d5cd8ae..464c772 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -70,6 +70,7 @@
file_contexts {
name: "plat_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.plat_private}"],
product_variables: {
address_sanitize: {
@@ -79,14 +80,11 @@
srcs: [":file_contexts_overlayfs_files{.plat_private}"],
},
},
-
- flatten_apex: {
- srcs: [":apex_file_contexts_files"],
- },
}
file_contexts {
name: "plat_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.plat_private}"],
stem: "plat_file_contexts",
product_variables: {
@@ -97,41 +95,42 @@
srcs: [":file_contexts_overlayfs_files{.plat_private}"],
},
},
-
- flatten_apex: {
- srcs: [":apex_file_contexts_files"],
- },
-
recovery: true,
}
file_contexts {
name: "vendor_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
soc_specific: true,
+ fc_sort: true,
}
file_contexts {
name: "vendor_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
stem: "vendor_file_contexts",
recovery: true,
+ fc_sort: true,
}
file_contexts {
name: "system_ext_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
file_contexts {
name: "system_ext_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.system_ext_private}"],
stem: "system_ext_file_contexts",
recovery: true,
@@ -139,12 +138,14 @@
file_contexts {
name: "product_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.product_private}"],
product_specific: true,
}
file_contexts {
name: "product_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.product_private}"],
stem: "product_file_contexts",
recovery: true,
@@ -152,57 +153,68 @@
file_contexts {
name: "odm_file_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.odm}"],
device_specific: true,
+ fc_sort: true,
}
file_contexts {
name: "odm_file_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":file_contexts_files{.odm}"],
stem: "odm_file_contexts",
recovery: true,
+ fc_sort: true,
}
hwservice_contexts {
name: "plat_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.plat_private}"],
}
hwservice_contexts {
name: "system_ext_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
hwservice_contexts {
name: "product_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.product_private}"],
product_specific: true,
}
hwservice_contexts {
name: "vendor_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
- ":hwservice_contexts_files{.plat_vendor_for_vendor}",
+ ":hwservice_contexts_files{.plat_vendor}",
":hwservice_contexts_files{.vendor}",
- ":hwservice_contexts_files{.reqd_mask_for_vendor}",
+ ":hwservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
hwservice_contexts {
name: "odm_hwservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":hwservice_contexts_files{.odm}"],
device_specific: true,
}
property_contexts {
name: "plat_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.plat_private}"],
}
property_contexts {
name: "plat_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.plat_private}"],
stem: "plat_property_contexts",
recovery: true,
@@ -210,6 +222,7 @@
property_contexts {
name: "system_ext_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
@@ -217,6 +230,7 @@
property_contexts {
name: "product_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
@@ -224,10 +238,11 @@
property_contexts {
name: "vendor_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
- ":property_contexts_files{.plat_vendor_for_vendor}",
+ ":property_contexts_files{.plat_vendor}",
":property_contexts_files{.vendor}",
- ":property_contexts_files{.reqd_mask_for_vendor}",
+ ":property_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@@ -235,6 +250,7 @@
property_contexts {
name: "odm_property_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.odm}"],
device_specific: true,
recovery_available: true,
@@ -242,11 +258,13 @@
service_contexts {
name: "plat_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.plat_private}"],
}
service_contexts {
name: "plat_service_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.plat_private}"],
stem: "plat_service_contexts",
recovery: true,
@@ -254,6 +272,7 @@
service_contexts {
name: "system_ext_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.system_ext_private}"],
system_ext_specific: true,
recovery_available: true,
@@ -261,6 +280,7 @@
service_contexts {
name: "product_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.product_private}"],
product_specific: true,
recovery_available: true,
@@ -268,10 +288,11 @@
service_contexts {
name: "vendor_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
- ":service_contexts_files{.plat_vendor_for_vendor}",
+ ":service_contexts_files{.plat_vendor}",
":service_contexts_files{.vendor}",
- ":service_contexts_files{.reqd_mask_for_vendor}",
+ ":service_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@@ -279,6 +300,7 @@
service_contexts {
name: "odm_service_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":service_contexts_files{.odm}",
],
@@ -288,39 +310,45 @@
keystore2_key_contexts {
name: "plat_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.plat_private}"],
}
keystore2_key_contexts {
name: "system_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
system_ext_specific: true,
}
keystore2_key_contexts {
name: "product_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":keystore2_key_contexts_files{.product_private}"],
product_specific: true,
}
keystore2_key_contexts {
name: "vendor_keystore2_key_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
- ":keystore2_key_contexts_files{.plat_vendor_for_vendor}",
+ ":keystore2_key_contexts_files{.plat_vendor}",
":keystore2_key_contexts_files{.vendor}",
- ":keystore2_key_contexts_files{.reqd_mask_for_vendor}",
+ ":keystore2_key_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
seapp_contexts {
name: "plat_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.plat_private}"],
sepolicy: ":precompiled_sepolicy",
}
seapp_contexts {
name: "system_ext_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.system_ext_private}"],
neverallow_files: [":seapp_contexts_files{.plat_private}"],
system_ext_specific: true,
@@ -329,6 +357,7 @@
seapp_contexts {
name: "product_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [":seapp_contexts_files{.product_private}"],
neverallow_files: [
":seapp_contexts_files{.plat_private}",
@@ -340,15 +369,16 @@
seapp_contexts {
name: "vendor_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
- ":seapp_contexts_files{.plat_vendor_for_vendor}",
+ ":seapp_contexts_files{.plat_vendor}",
":seapp_contexts_files{.vendor}",
- ":seapp_contexts_files{.reqd_mask_for_vendor}",
+ ":seapp_contexts_files{.reqd_mask}",
],
neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
],
soc_specific: true,
sepolicy: ":precompiled_sepolicy",
@@ -356,13 +386,14 @@
seapp_contexts {
name: "odm_seapp_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
":seapp_contexts_files{.odm}",
],
neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
],
device_specific: true,
sepolicy: ":precompiled_sepolicy",
@@ -370,10 +401,11 @@
vndservice_contexts {
name: "vndservice_contexts",
+ defaults: ["contexts_flags_defaults"],
srcs: [
- ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+ ":vndservice_contexts_files{.plat_vendor}",
":vndservice_contexts_files{.vendor}",
- ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+ ":vndservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@@ -399,6 +431,12 @@
}
file_contexts_test {
+ name: "plat_file_contexts_data_test",
+ srcs: [":file_contexts_files{.plat_private}"],
+ test_data: "plat_file_contexts_test",
+}
+
+file_contexts_test {
name: "system_ext_file_contexts_test",
srcs: [":system_ext_file_contexts"],
sepolicy: ":precompiled_sepolicy",
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
new file mode 100644
index 0000000..54dc1f3
--- /dev/null
+++ b/contexts/plat_file_contexts_test
@@ -0,0 +1,1271 @@
+# Test data for private/file_contexts.
+#
+# It can be passed to checkfc to confirm that the regular expressions in
+# file_contexts are matching the intended paths.
+/ rootfs
+/adb_keys adb_keys_file
+/build.prop rootfs
+/default.prop rootfs
+/fstab.persist rootfs
+/fstab.postinstall rootfs
+/init.rc rootfs
+/init.environ.rc rootfs
+/res rootfs
+/res/test rootfs
+/selinux_version rootfs
+/ueventd.rc rootfs
+/ueventd.common.rc rootfs
+/verity_key rootfs
+
+/init init_exec
+/sbin rootfs
+/sbin/su rootfs
+
+/lib rootfs
+/lib/lib.so rootfs
+/system_dlkm system_dlkm_file
+/system_dlkm/lib/modules/modules.load system_dlkm_file
+
+/lost+found rootfs
+/acct cgroup
+/config rootfs
+/data_mirror mirror_data_file
+/debug_ramdisk tmpfs
+/mnt tmpfs
+/proc rootfs
+/second_stage_resources tmpfs
+/sys sysfs
+/apex apex_mnt_dir
+/bootstrap-apex apex_mnt_dir
+
+/postinstall postinstall_mnt_dir
+/postinstall/apex postinstall_apex_mnt_dir
+
+/apex/.bootstrap-apex-info-list.xml apex_info_file
+/apex/.default-apex-info-list.xml apex_info_file
+/apex/apex-info-list.xml apex_info_file
+
+/bin rootfs
+/bugreports rootfs
+/charger rootfs
+/d rootfs
+/etc rootfs
+/sdcard rootfs
+
+/vendor_file_contexts file_contexts_file
+/plat_file_contexts file_contexts_file
+/product_file_contexts file_contexts_file
+/mapping_sepolicy.cil sepolicy_file
+/plat_sepolicy.cil sepolicy_file
+/plat_property_contexts property_contexts_file
+/product_property_contexts property_contexts_file
+/vendor_property_contexts property_contexts_file
+/seapp_contexts seapp_contexts_file
+/vendor_seapp_contexts seapp_contexts_file
+/plat_seapp_contexts seapp_contexts_file
+/sepolicy sepolicy_file
+/plat_service_contexts service_contexts_file
+/plat_hwservice_contexts hwservice_contexts_file
+/plat_keystore2_key_contexts keystore2_key_contexts_file
+/vendor_service_contexts vendor_service_contexts_file
+/vendor_hwservice_contexts hwservice_contexts_file
+/vndservice_contexts vndservice_contexts_file
+
+/dev device
+/dev/does_not_exist device
+/dev/adf graphics_device
+/dev/adf0 graphics_device
+/dev/adf123 graphics_device
+/dev/adf-interface. graphics_device
+/dev/adf-interface0. graphics_device
+/dev/adf-interface.1 graphics_device
+/dev/adf-interface2.3 graphics_device
+/dev/adf-overlay-engine. graphics_device
+/dev/adf-overlay-engine0. graphics_device
+/dev/adf-overlay-engine.1 graphics_device
+/dev/adf-overlay-engine2.3 graphics_device
+/dev/ashmem ashmem_device
+/dev/ashmemtest ashmem_libcutils_device
+/dev/ashmem-test ashmem_libcutils_device
+/dev/ashmem/test ashmem_libcutils_device
+/dev/audio audio_device
+/dev/audiotest audio_device
+/dev/audio-test audio_device
+/dev/audio/test audio_device
+/dev/binder binder_device
+/dev/block block_device
+/dev/block/does_not_exist block_device
+/dev/block123 device
+/dev/block/by-name/zoned_device zoned_block_device
+/dev/block/dm-0 dm_device
+/dev/block/dm-123 dm_device
+/dev/block/dm block_device
+/dev/block/dm- block_device
+/dev/block/ublkb0 ublk_block_device
+/dev/block/ublkb123 ublk_block_device
+/dev/block/ublkb block_device
+/dev/block/loop0 loop_device
+/dev/block/loop10 loop_device
+/dev/block/loop loop_device
+/dev/block/vda vd_device
+/dev/block/vdb vd_device
+/dev/block/vda0 vd_device
+/dev/block/vda10 vd_device
+/dev/block/vd block_device
+/dev/block/vd1a block_device
+/dev/block/vold block_device
+/dev/block/vold/disk:253,32 vold_device
+/dev/block/ram ram_device
+/dev/block/ram0 ram_device
+/dev/block/ram10 ram_device
+/dev/block/zram ram_device
+/dev/block/zram0 ram_device
+/dev/block/zram10 ram_device
+/dev/boringssl/selftest boringssl_self_test_marker
+/dev/boringssl/selftest/test boringssl_self_test_marker
+/dev/bus/usb usb_device
+/dev/bus/usb/001 usb_device
+/dev/console console_device
+/dev/cpu_variant: dev_cpu_variant
+/dev/cpu_variant:test dev_cpu_variant
+/dev/dma_heap dmabuf_heap_device
+/dev/dma_heap/test dmabuf_heap_device
+/dev/dma_heap/system dmabuf_system_heap_device
+/dev/dma_heap/system-uncached dmabuf_system_heap_device
+/dev/dma_heap/system-secure dmabuf_system_secure_heap_device
+/dev/dma_heap/system-secure-test dmabuf_system_secure_heap_device
+/dev/dma_heap/system-secure/test dmabuf_system_secure_heap_device
+/dev/dm-user dm_user_device
+/dev/dm-user/test dm_user_device
+/dev/ublk-control ublk_control_device
+/dev/device-mapper dm_device
+/dev/eac audio_device
+/dev/event-log-tags runtime_event_log_tags_file
+/dev/cgroup_info cgroup_rc_file
+/dev/cgroup_info/cgroup.rc cgroup_rc_file
+/dev/fscklogs fscklogs
+/dev/fscklogs/fsck fscklogs
+/dev/fuse fuse_device
+/dev/gnss0 gnss_device
+/dev/gnss10 gnss_device
+/dev/graphics graphics_device
+/dev/graphics/test graphics_device
+/dev/hidraw0 hidraw_device
+/dev/hidraw1 hidraw_device
+/dev/hw_random hw_random_device
+/dev/hwbinder hwbinder_device
+/dev/input input_device
+/dev/input/event0 input_device
+/dev/iio:device0 iio_device
+/dev/iio:device1 iio_device
+/dev/ion ion_device
+/dev/keychord keychord_device
+/dev/loop-control loop_control_device
+/dev/modem radio_device
+/dev/modem0 radio_device
+/dev/modem-test radio_device
+/dev/modem/test radio_device
+/dev/mtp_usb mtp_device
+/dev/pmsg0 pmsg_device
+/dev/pn544 nfc_device
+/dev/port port_device
+/dev/ppp ppp_device
+/dev/ptmx ptmx_device
+/dev/pvrsrvkm gpu_device
+/dev/kmsg kmsg_device
+/dev/kmsg_debug kmsg_debug_device
+/dev/kvm kvm_device
+/dev/null null_device
+/dev/nvhdcp1 video_device
+/dev/random random_device
+/dev/rpmsg-omx0 rpmsg_device
+/dev/rpmsg-omx1 rpmsg_device
+/dev/rproc_user rpmsg_device
+/dev/rtc0 rtc_device
+/dev/rtc9 rtc_device
+/dev/snd audio_device
+/dev/snd/controlC0 audio_device
+/dev/snd/timer audio_device
+/dev/socket socket_device
+/dev/socket/does_not_exist socket_device
+/dev/socket/adbd adbd_socket
+/dev/socket/dnsproxyd dnsproxyd_socket
+/dev/socket/dumpstate dumpstate_socket
+/dev/socket/fwmarkd fwmarkd_socket
+/dev/socket/lmkd lmkd_socket
+/dev/socket/logd logd_socket
+/dev/socket/logdr logdr_socket
+/dev/socket/logdw logdw_socket
+/dev/socket/statsdw statsdw_socket
+/dev/socket/mdns mdns_socket
+/dev/socket/mdnsd mdnsd_socket
+/dev/socket/mtpd mtpd_socket
+/dev/socket/pdx/system/buffer_hub pdx_bufferhub_dir
+/dev/socket/pdx/system/buffer_hub/client pdx_bufferhub_client_endpoint_socket
+/dev/socket/pdx/system/performance pdx_performance_dir
+/dev/socket/pdx/system/performance/client pdx_performance_client_endpoint_socket
+/dev/socket/pdx/system/vr/display pdx_display_dir
+/dev/socket/pdx/system/vr/display/client pdx_display_client_endpoint_socket
+/dev/socket/pdx/system/vr/display/manager pdx_display_manager_endpoint_socket
+/dev/socket/pdx/system/vr/display/screenshot pdx_display_screenshot_endpoint_socket
+/dev/socket/pdx/system/vr/display/vsync pdx_display_vsync_endpoint_socket
+/dev/socket/prng_seeder prng_seeder_socket
+/dev/socket/property_service property_socket
+/dev/socket/property_service_for_system property_socket
+/dev/socket/racoon racoon_socket
+/dev/socket/recovery recovery_socket
+/dev/socket/rild rild_socket
+/dev/socket/rild-debug rild_debug_socket
+/dev/socket/snapuserd snapuserd_socket
+/dev/socket/snapuserd_proxy snapuserd_proxy_socket
+/dev/socket/tombstoned_crash tombstoned_crash_socket
+/dev/socket/tombstoned_java_trace tombstoned_java_trace_socket
+/dev/socket/tombstoned_intercept tombstoned_intercept_socket
+/dev/socket/traced_consumer traced_consumer_socket
+/dev/socket/traced_perf traced_perf_socket
+/dev/socket/traced_producer traced_producer_socket
+/dev/socket/heapprofd heapprofd_socket
+/dev/socket/uncrypt uncrypt_socket
+/dev/socket/wpa_eth0 wpa_socket
+/dev/socket/wpa_eth9 wpa_socket
+/dev/socket/wpa_wlan0 wpa_socket
+/dev/socket/wpa_wlan9 wpa_socket
+/dev/socket/zygote zygote_socket
+/dev/socket/zygote_secondary zygote_socket
+/dev/socket/usap_pool_primary zygote_socket
+/dev/socket/usap_pool_secondary zygote_socket
+/dev/spdif_out audio_device
+/dev/spdif_out-test audio_device
+/dev/spdif_out/test audio_device
+/dev/sys/block/by-name/rootdisk rootdisk_sysdev
+/dev/sys/block/by-name/rootdisk/test rootdisk_sysdev
+/dev/sys/block/by-name/rootdisk-test device
+/dev/sys/block/by-name/userdata userdata_sysdev
+/dev/sys/block/by-name/userdata/test userdata_sysdev
+/dev/sys/block/by-name/userdata-test device
+/dev/sys/fs/by-name/userdata userdata_sysdev
+/dev/sys/fs/by-name/userdata/test userdata_sysdev
+/dev/sys/fs/by-name/userdata-test device
+/dev/tty owntty_device
+/dev/tty0 tty_device
+/dev/tty1 tty_device
+/dev/ttyS serial_device
+/dev/ttyS0 serial_device
+/dev/ttyS99 serial_device
+/dev/ttyUSB usb_serial_device
+/dev/ttyUSB0 usb_serial_device
+/dev/ttyUSB99 usb_serial_device
+/dev/ttyACM usb_serial_device
+/dev/ttyACM0 usb_serial_device
+/dev/ttyACM99 usb_serial_device
+/dev/tun tun_device
+/dev/uhid uhid_device
+/dev/uinput uhid_device
+/dev/uio uio_device
+/dev/uio0 uio_device
+/dev/uio9 uio_device
+/dev/urandom random_device
+/dev/usb_accessory usbaccessory_device
+/dev/v4l-touch input_device
+/dev/v4l-touch0 input_device
+/dev/v4l-touch10 input_device
+/dev/vfio vfio_device
+/dev/vfio/test vfio_device
+/dev/vfio-test device
+/dev/vhost-vsock kvm_device
+/dev/video video_device
+/dev/video0 video_device
+/dev/video99 video_device
+/dev/vndbinder vndbinder_device
+/dev/watchdog watchdog_device
+/dev/xt_qtaguid qtaguid_device
+/dev/zero zero_device
+/dev/__properties__ properties_device
+/dev/__properties__/property_info property_info
+/dev/__properties__/appcompat_override properties_device
+/dev/__properties__/appcompat_override/property_info property_info
+
+/linkerconfig linkerconfig_file
+/linkerconfig/test linkerconfig_file
+
+/system system_file
+/system/does_not_exist system_file
+/system/apex/com.android.art art_apex_dir
+/system/lib system_lib_file
+/system/lib64 system_lib_file
+/system/lib/does_not_exist system_lib_file
+/system/lib64/does_not_exist system_lib_file
+/system/lib/bootstrap system_bootstrap_lib_file
+/system/lib64/bootstrap system_bootstrap_lib_file
+/system/lib/bootstrap/test system_bootstrap_lib_file
+/system/lib64/bootstrap/test system_bootstrap_lib_file
+/system/bin/mm_events mm_events_exec
+/system/bin/atrace atrace_exec
+/system/bin/auditctl auditctl_exec
+/system/bin/bcc rs_exec
+/system/bin/blank_screen blank_screen_exec
+/system/bin/boringssl_self_test32 boringssl_self_test_exec
+/system/bin/boringssl_self_test64 boringssl_self_test_exec
+/system/bin/boringssl_self_test31 system_file
+/system/bin/prng_seeder prng_seeder_exec
+/system/bin/charger charger_exec
+/system/bin/e2fsdroid e2fs_exec
+/system/bin/mke2fs e2fs_exec
+/system/bin/e2fsck fsck_exec
+/system/bin/extra_free_kbytes.sh extra_free_kbytes_exec
+/system/bin/fsck.exfat fsck_exec
+/system/bin/fsck.f2fs fsck_exec
+/system/bin/init init_exec
+/system/bin/mini-keyctl toolbox_exec
+/system/bin/fsverity_init fsverity_init_exec
+/system/bin/sload_f2fs e2fs_exec
+/system/bin/make_f2fs e2fs_exec
+/system/bin/fsck_msdos fsck_exec
+/system/bin/tcpdump tcpdump_exec
+/system/bin/tune2fs fsck_exec
+/system/bin/resize2fs fsck_exec
+/system/bin/toolbox toolbox_exec
+/system/bin/toybox toolbox_exec
+/system/bin/ld.mc rs_exec
+/system/bin/logcat logcat_exec
+/system/bin/logcatd logcat_exec
+/system/bin/sh shell_exec
+/system/bin/run-as runas_exec
+/system/bin/bootanimation bootanim_exec
+/system/bin/bootstat bootstat_exec
+/system/bin/app_process32 zygote_exec
+/system/bin/app_process64 zygote_exec
+/system/bin/servicemanager servicemanager_exec
+/system/bin/surfaceflinger surfaceflinger_exec
+/system/bin/gpuservice gpuservice_exec
+/system/bin/bufferhubd bufferhubd_exec
+/system/bin/performanced performanced_exec
+/system/bin/drmserver drmserver_exec
+/system/bin/drmserver32 drmserver_exec
+/system/bin/drmserver64 drmserver_exec
+/system/bin/dumpstate dumpstate_exec
+/system/bin/incident incident_exec
+/system/bin/incidentd incidentd_exec
+/system/bin/incident_helper incident_helper_exec
+/system/bin/iw iw_exec
+/system/bin/netutils-wrapper-1.0 netutils_wrapper_exec
+/system/bin/vold vold_exec
+/system/bin/netd netd_exec
+/system/bin/wificond wificond_exec
+/system/bin/audioserver audioserver_exec
+/system/bin/mediadrmserver mediadrmserver_exec
+/system/bin/mediaserver mediaserver_exec
+/system/bin/mediaserver32 mediaserver_exec
+/system/bin/mediaserver64 mediaserver_exec
+/system/bin/mediametrics mediametrics_exec
+/system/bin/cameraserver cameraserver_exec
+/system/bin/mediaextractor mediaextractor_exec
+/system/bin/mediaswcodec mediaswcodec_exec
+/system/bin/mediatranscoding mediatranscoding_exec
+/system/bin/mediatuner mediatuner_exec
+/system/bin/mdnsd mdnsd_exec
+/system/bin/installd installd_exec
+/system/bin/otapreopt_chroot otapreopt_chroot_exec
+/system/bin/otapreopt_slot otapreopt_slot_exec
+/system/bin/credstore credstore_exec
+/system/bin/keystore keystore_exec
+/system/bin/keystore2 keystore_exec
+/system/bin/fingerprintd fingerprintd_exec
+/system/bin/gatekeeperd gatekeeperd_exec
+/system/bin/tombstoned tombstoned_exec
+/system/bin/recovery-persist recovery_persist_exec
+/system/bin/recovery-refresh recovery_refresh_exec
+/system/bin/sdcard sdcardd_exec
+/system/bin/snapshotctl snapshotctl_exec
+/system/bin/remount remount_exec
+/system/bin/dhcpcd dhcp_exec
+/system/bin/dhcpcd-6.8.2 dhcp_exec
+/system/bin/dmesgd dmesgd_exec
+/system/bin/mtpd mtp_exec
+/system/bin/pppd ppp_exec
+/system/bin/racoon racoon_exec
+/system/xbin/su su_exec
+/system/bin/dnsmasq dnsmasq_exec
+/system/bin/linker system_linker_exec
+/system/bin/linker64 system_linker_exec
+/system/bin/linker63 system_file
+/system/bin/linkerconfig linkerconfig_exec
+/system/bin/bootstrap/linker system_linker_exec
+/system/bin/bootstrap/linker64 system_linker_exec
+/system/bin/bootstrap/linker63 system_file
+/system/bin/bootstrap/linkerconfig linkerconfig_exec
+/system/bin/llkd llkd_exec
+/system/bin/lmkd lmkd_exec
+/system/bin/usbd usbd_exec
+/system/bin/inputflinger inputflinger_exec
+/system/bin/logd logd_exec
+/system/bin/lpdumpd lpdumpd_exec
+/system/bin/rss_hwm_reset rss_hwm_reset_exec
+/system/bin/perfetto perfetto_exec
+/system/bin/mtectrl mtectrl_exec
+/system/bin/traced traced_exec
+/system/bin/traced_perf traced_perf_exec
+/system/bin/traced_probes traced_probes_exec
+/system/bin/heapprofd heapprofd_exec
+/system/bin/uncrypt uncrypt_exec
+/system/bin/update_verifier update_verifier_exec
+/system/bin/logwrapper system_file
+/system/bin/vdc vdc_exec
+/system/bin/cppreopts.sh cppreopts_exec
+/system/bin/preloads_copy.sh preloads_copy_exec
+/system/bin/preopt2cachename preopt2cachename_exec
+/system/bin/viewcompiler viewcompiler_exec
+/system/bin/sgdisk sgdisk_exec
+/system/bin/blkid blkid_exec
+/system/bin/flags_health_check flags_health_check_exec
+/system/bin/idmap2 idmap_exec
+/system/bin/idmap2d idmap_exec
+/system/bin/update_engine update_engine_exec
+/system/bin/profcollectd profcollectd_exec
+/system/bin/profcollectctl profcollectd_exec
+/system/bin/storaged storaged_exec
+/system/bin/virtual_camera virtual_camera_exec
+/system/bin/virtual_touchpad virtual_touchpad_exec
+/system/bin/hw/android.frameworks.bufferhub@1.0-service fwk_bufferhub_exec
+/system/bin/hw/android.system.suspend-service system_suspend_exec
+/system/etc/cgroups.json cgroup_desc_file
+/system/etc/task_profiles/cgroups_0.json cgroup_desc_api_file
+/system/etc/task_profiles/cgroups_999.json cgroup_desc_api_file
+/system/etc/event-log-tags system_event_log_tags_file
+/system/etc/font_fallback.xml system_font_fallback_file
+/system/etc/group system_group_file
+/system/etc/ld.config. system_linker_config_file
+/system/etc/ld.config.test system_linker_config_file
+/system/etc/passwd system_passwd_file
+/system/etc/seccomp_policy system_seccomp_policy_file
+/system/etc/seccomp_policy/crash_dump.x86.policy system_seccomp_policy_file
+/system/etc/security/cacerts system_security_cacerts_file
+/system/etc/security/cacerts/123 system_security_cacerts_file
+/system/etc/selinux/mapping/30.0.cil sepolicy_file
+#/system/etc/selinux/mapping/30.compat.0.cil sepolicy_file
+/system/etc/selinux/plat_mac_permissions.xml mac_perms_file
+/system/etc/selinux/plat_property_contexts property_contexts_file
+/system/etc/selinux/plat_service_contexts service_contexts_file
+/system/etc/selinux/plat_hwservice_contexts hwservice_contexts_file
+/system/etc/selinux/plat_keystore2_key_contexts keystore2_key_contexts_file
+/system/etc/selinux/plat_file_contexts file_contexts_file
+/system/etc/selinux/plat_seapp_contexts seapp_contexts_file
+/system/etc/selinux/plat_sepolicy.cil sepolicy_file
+/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 sepolicy_file
+/system/etc/task_profiles.json task_profiles_file
+/system/etc/task_profiles/task_profiles_0.json task_profiles_api_file
+/system/etc/task_profiles/task_profiles_99.json task_profiles_api_file
+/system/usr/share/zoneinfo system_zoneinfo_file
+/system/usr/share/zoneinfo/0 system_zoneinfo_file
+/system/bin/adbd adbd_exec
+/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
+/system/bin/stats stats_exec
+/system/bin/statsd statsd_exec
+/system/bin/bpfloader bpfloader_exec
+/system/bin/netbpfload bpfloader_exec
+/system/bin/watchdogd watchdogd_exec
+/system/bin/apexd apexd_exec
+/system/bin/gsid gsid_exec
+/system/bin/simpleperf simpleperf_exec
+/system/bin/simpleperf_app_runner simpleperf_app_runner_exec
+/system/bin/migrate_legacy_obb_data migrate_legacy_obb_data_exec
+/system/bin/android.frameworks.automotive.display@1.0-service automotive_display_service_exec
+/system/bin/snapuserd snapuserd_exec
+/system/bin/odsign odsign_exec
+/system/bin/vehicle_binding_util vehicle_binding_util_exec
+/system/bin/cardisplayproxyd automotive_display_service_exec
+/system/bin/evsmanagerd evsmanagerd_exec
+/system/bin/android.automotive.evs.manager@1.0 evsmanagerd_exec
+/system/bin/android.automotive.evs.manager@1.99 evsmanagerd_exec
+/system/bin/uprobestats uprobestats_exec
+
+/vendor vendor_file
+/vendor/does_not_exist vendor_file
+/system/vendor vendor_file
+/system/vendor/does_not_exist vendor_file
+/vendor/bin/sh vendor_shell_exec
+/system/vendor/bin/sh vendor_shell_exec
+/vendor/bin/toybox_vendor vendor_toolbox_exec
+/system/vendor/bin/toybox_vendor vendor_toolbox_exec
+/vendor/bin/toolbox vendor_toolbox_exec
+/system/vendor/bin/toolbox vendor_toolbox_exec
+/vendor/etc vendor_configs_file
+/vendor/etc/does_not_exist vendor_configs_file
+/system/vendor/etc vendor_configs_file
+/system/vendor/etc/does_not_exist vendor_configs_file
+/vendor/etc/cgroups.json vendor_cgroup_desc_file
+/system/vendor/etc/cgroups.json vendor_cgroup_desc_file
+/vendor/etc/task_profiles.json vendor_task_profiles_file
+/system/vendor/etc/task_profiles.json vendor_task_profiles_file
+
+/vendor/lib/egl same_process_hal_file
+/vendor/lib64/egl same_process_hal_file
+/vendor/lib/egl/test same_process_hal_file
+/vendor/lib64/egl/test same_process_hal_file
+/system/vendor/lib/egl same_process_hal_file
+/system/vendor/lib64/egl same_process_hal_file
+/system/vendor/lib/egl/test same_process_hal_file
+/system/vendor/lib64/egl/test same_process_hal_file
+
+/vendor/lib/vndk-sp vndk_sp_file
+/vendor/lib64/vndk-sp vndk_sp_file
+/vendor/lib/vndk-sp/test vndk_sp_file
+/vendor/lib64/vndk-sp/test vndk_sp_file
+/system/vendor/lib/vndk-sp vndk_sp_file
+/system/vendor/lib64/vndk-sp vndk_sp_file
+/system/vendor/lib/vndk-sp/test vndk_sp_file
+/system/vendor/lib64/vndk-sp/test vndk_sp_file
+
+/vendor/manifest.xml vendor_configs_file
+/system/vendor/manifest.xml vendor_configs_file
+/vendor/compatibility_matrix.xml vendor_configs_file
+/system/vendor/compatibility_matrix.xml vendor_configs_file
+/vendor/etc/vintf vendor_configs_file
+/vendor/etc/vintf/test vendor_configs_file
+/system/vendor/etc/vintf vendor_configs_file
+/system/vendor/etc/vintf/test vendor_configs_file
+/vendor/app vendor_app_file
+/vendor/app/test vendor_app_file
+/system/vendor/app vendor_app_file
+/system/vendor/app/test vendor_app_file
+/vendor/priv-app vendor_app_file
+/vendor/priv-app/test vendor_app_file
+/system/vendor/priv-app vendor_app_file
+/system/vendor/priv-app/test vendor_app_file
+/vendor/overlay vendor_overlay_file
+/vendor/overlay/test vendor_overlay_file
+/system/vendor/overlay vendor_overlay_file
+/system/vendor/overlay/test vendor_overlay_file
+/vendor/framework vendor_framework_file
+/vendor/framework/test vendor_framework_file
+/system/vendor/framework vendor_framework_file
+/system/vendor/framework/test vendor_framework_file
+/vendor/etc/avf/microdroid vendor_microdroid_file
+/vendor/etc/avf/microdroid/test vendor_microdroid_file
+
+/vendor/apex vendor_apex_file
+/vendor/apex/test vendor_apex_file
+/vendor/apex/test/test vendor_apex_file
+/vendor/apex/test/test/test vendor_file
+/system/vendor/apex vendor_apex_file
+/system/vendor/apex/test vendor_apex_file
+/system/vendor/apex/test/test vendor_apex_file
+/system/vendor/apex/test/test/test vendor_file
+/vendor/bin/misc_writer vendor_misc_writer_exec
+/system/vendor/bin/misc_writer vendor_misc_writer_exec
+/vendor/bin/boringssl_self_test32 vendor_boringssl_self_test_exec
+/vendor/bin/boringssl_self_test64 vendor_boringssl_self_test_exec
+/system/vendor/bin/boringssl_self_test32 vendor_boringssl_self_test_exec
+/system/vendor/bin/boringssl_self_test64 vendor_boringssl_self_test_exec
+
+/vendor/lib/hw vendor_hal_file
+/vendor/lib64/hw vendor_hal_file
+/system/vendor/lib/hw vendor_hal_file
+/system/vendor/lib64/hw vendor_hal_file
+
+/vendor/etc/selinux/vendor_service_contexts vendor_service_contexts_file
+/system/vendor/etc/selinux/vendor_service_contexts vendor_service_contexts_file
+
+/odm vendor_file
+/odm/does_not_exist vendor_file
+/vendor/odm vendor_file
+/vendor/does_not_exist vendor_file
+/odm/lib/egl same_process_hal_file
+/odm/lib64/egl same_process_hal_file
+/odm/lib/egl/test same_process_hal_file
+/odm/lib64/egl/test same_process_hal_file
+/vendor/odm/lib/egl same_process_hal_file
+/vendor/odm/lib64/egl same_process_hal_file
+/vendor/odm/lib/egl/test same_process_hal_file
+/vendor/odm/lib64/egl/test same_process_hal_file
+/odm/lib/hw vendor_hal_file
+/odm/lib64/hw vendor_hal_file
+/vendor/odm/lib/hw vendor_hal_file
+/vendor/odm/lib64/hw vendor_hal_file
+/odm/lib/vndk-sp vndk_sp_file
+/odm/lib64/vndk-sp vndk_sp_file
+/odm/lib/vndk-sp/test vndk_sp_file
+/odm/lib64/vndk-sp/test vndk_sp_file
+/vendor/odm/lib/vndk-sp vndk_sp_file
+/vendor/odm/lib64/vndk-sp vndk_sp_file
+/vendor/odm/lib/vndk-sp/test vndk_sp_file
+/vendor/odm/lib64/vndk-sp/test vndk_sp_file
+
+/odm/bin/sh vendor_shell_exec
+/vendor/odm/bin/sh vendor_shell_exec
+/odm/etc vendor_configs_file
+/odm/etc/test vendor_configs_file
+/vendor/odm/etc vendor_configs_file
+/vendor/odm/etc/test vendor_configs_file
+/odm/app vendor_app_file
+/odm/app/test vendor_app_file
+/vendor/odm/app vendor_app_file
+/vendor/odm/app/test vendor_app_file
+/odm/priv-app vendor_app_file
+/odm/priv-app/test vendor_app_file
+/vendor/odm/priv-app vendor_app_file
+/vendor/odm/priv-app/test vendor_app_file
+/odm/overlay vendor_overlay_file
+/odm/overlay/test vendor_overlay_file
+/vendor/odm/overlay vendor_overlay_file
+/vendor/odm/overlay/test vendor_overlay_file
+/odm/framework vendor_framework_file
+/odm/framework/test vendor_framework_file
+/vendor/odm/framework vendor_framework_file
+/vendor/odm/framework/test vendor_framework_file
+
+/odm/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/odm/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/vendor/odm/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/vendor/odm/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/vendor/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/vendor/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+/system/vendor/etc/hal_uuid_map_.xml vendor_uuid_mapping_config_file
+/system/vendor/etc/hal_uuid_map_test.xml vendor_uuid_mapping_config_file
+
+/odm/usr/keylayout.kl vendor_keylayout_file
+/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/odm/usr/keylayout.kl vendor_keylayout_file
+/vendor/odm/usr/keylayout/test.kl vendor_keylayout_file
+/vendor/usr/keylayout.kl vendor_keylayout_file
+/vendor/usr/keylayout/test.kl vendor_keylayout_file
+/system/vendor/usr/keylayout.kl vendor_keylayout_file
+/system/vendor/usr/keylayout/test.kl vendor_keylayout_file
+/odm/usr/keychars.kcm vendor_keychars_file
+/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/odm/usr/keychars.kcm vendor_keychars_file
+/vendor/odm/usr/keychars/test.kcm vendor_keychars_file
+/vendor/usr/keychars.kcm vendor_keychars_file
+/vendor/usr/keychars/test.kcm vendor_keychars_file
+/system/vendor/usr/keychars.kcm vendor_keychars_file
+/system/vendor/usr/keychars/test.kcm vendor_keychars_file
+/odm/usr/idc.idc vendor_idc_file
+/odm/usr/idc/test.idc vendor_idc_file
+/vendor/odm/usr/idc.idc vendor_idc_file
+/vendor/odm/usr/idc/test.idc vendor_idc_file
+/vendor/usr/idc.idc vendor_idc_file
+/vendor/usr/idc/test.idc vendor_idc_file
+/system/vendor/usr/idc.idc vendor_idc_file
+/system/vendor/usr/idc/test.idc vendor_idc_file
+
+/oem oemfs
+/oem/does_not_exist oemfs
+/oem/overlay vendor_overlay_file
+/oem/overlay/does_not_exist vendor_overlay_file
+
+/odm/etc/selinux/precompiled_sepolicy sepolicy_file
+/odm/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 sepolicy_file
+
+/odm/etc/selinux/odm_sepolicy.cil sepolicy_file
+/vendor/odm/etc/selinux/odm_sepolicy.cil sepolicy_file
+/odm/etc/selinux/odm_file_contexts file_contexts_file
+/vendor/odm/etc/selinux/odm_file_contexts file_contexts_file
+/odm/etc/selinux/odm_seapp_contexts seapp_contexts_file
+/vendor/odm/etc/selinux/odm_seapp_contexts seapp_contexts_file
+/odm/etc/selinux/odm_property_contexts property_contexts_file
+/vendor/odm/etc/selinux/odm_property_contexts property_contexts_file
+/odm/etc/selinux/odm_service_contexts vendor_service_contexts_file
+/vendor/odm/etc/selinux/odm_service_contexts vendor_service_contexts_file
+/odm/etc/selinux/odm_hwservice_contexts hwservice_contexts_file
+/vendor/odm/etc/selinux/odm_hwservice_contexts hwservice_contexts_file
+/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
+/vendor/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
+/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+
+/product system_file
+/product/does_not_exist system_file
+/system/product system_file
+/system/product/does_not_exist system_file
+/product/etc/group system_group_file
+/system/product/etc/group system_group_file
+/product/etc/passwd system_passwd_file
+/system/product/etc/passwd system_passwd_file
+/product/overlay system_file
+/product/overlay/does_not_exist system_file
+/system/product/overlay system_file
+/system/product/overlay/does_not_exist system_file
+
+/product/etc/selinux/product_file_contexts file_contexts_file
+/system/product/etc/selinux/product_file_contexts file_contexts_file
+/product/etc/selinux/product_hwservice_contexts hwservice_contexts_file
+/system/product/etc/selinux/product_hwservice_contexts hwservice_contexts_file
+/product/etc/selinux/product_keystore2_key_contexts keystore2_key_contexts_file
+/system/product/etc/selinux/product_keystore2_key_contexts keystore2_key_contexts_file
+/product/etc/selinux/product_property_contexts property_contexts_file
+/system/product/etc/selinux/product_property_contexts property_contexts_file
+/product/etc/selinux/product_seapp_contexts seapp_contexts_file
+/system/product/etc/selinux/product_seapp_contexts seapp_contexts_file
+/product/etc/selinux/product_service_contexts service_contexts_file
+/system/product/etc/selinux/product_service_contexts service_contexts_file
+/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+/system/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+
+/product/lib system_lib_file
+/product/lib/does_not_exist system_lib_file
+/product/lib64 system_lib_file
+/product/lib64/does_not_exist system_lib_file
+/system/product/lib system_lib_file
+/system/product/lib/does_not_exist system_lib_file
+/system/product/lib64 system_lib_file
+/system/product/lib64/does_not_exist system_lib_file
+
+/system_ext system_file
+/system_ext/does_not_exist system_file
+/system/system_ext system_file
+/system/system_ext/does_not_exist system_file
+/system_ext/etc/group system_group_file
+/system/system_ext/etc/group system_group_file
+/system_ext/etc/passwd system_passwd_file
+/system/system_ext/etc/passwd system_passwd_file
+/system_ext/overlay vendor_overlay_file
+/system_ext/overlay/does_not_exist vendor_overlay_file
+/system/system_ext/overlay vendor_overlay_file
+/system/system_ext/overlay/does_not_exist vendor_overlay_file
+
+/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
+/system/system_ext/etc/selinux/system_ext_file_contexts file_contexts_file
+/system_ext/etc/selinux/system_ext_hwservice_contexts hwservice_contexts_file
+/system/system_ext/etc/selinux/system_ext_hwservice_contexts hwservice_contexts_file
+/system_ext/etc/selinux/system_ext_keystore2_key_contexts keystore2_key_contexts_file
+/system/system_ext/etc/selinux/system_ext_keystore2_key_contexts keystore2_key_contexts_file
+/system_ext/etc/selinux/system_ext_property_contexts property_contexts_file
+/system/system_ext/etc/selinux/system_ext_property_contexts property_contexts_file
+/system_ext/etc/selinux/system_ext_seapp_contexts seapp_contexts_file
+/system/system_ext/etc/selinux/system_ext_seapp_contexts seapp_contexts_file
+/system_ext/etc/selinux/system_ext_service_contexts service_contexts_file
+/system/system_ext/etc/selinux/system_ext_service_contexts service_contexts_file
+/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
+/system/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
+/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+/system/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+
+/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
+/system/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
+/system_ext/bin/aidl_lazy_cb_test_server aidl_lazy_test_server_exec
+/system/system_ext/bin/aidl_lazy_cb_test_server aidl_lazy_test_server_exec
+/system_ext/bin/hidl_lazy_test_server hidl_lazy_test_server_exec
+/system/system_ext/bin/hidl_lazy_test_server hidl_lazy_test_server_exec
+/system_ext/bin/hidl_lazy_cb_test_server hidl_lazy_test_server_exec
+/system/system_ext/bin/hidl_lazy_cb_test_server hidl_lazy_test_server_exec
+/system_ext/bin/hwservicemanager hwservicemanager_exec
+/system/system_ext/bin/hwservicemanager hwservicemanager_exec
+/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+/system/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+
+
+/system_ext/bin/canhalconfigurator canhalconfigurator_exec
+/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
+/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
+/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
+
+/system_ext/lib system_lib_file
+/system_ext/lib/does_not_exist system_lib_file
+/system_ext/lib64 system_lib_file
+/system_ext/lib64/does_not_exist system_lib_file
+/system/system_ext/lib system_lib_file
+/system/system_ext/lib/does_not_exist system_lib_file
+/system/system_ext/lib64 system_lib_file
+/system/system_ext/lib64/does_not_exist system_lib_file
+
+/vendor_dlkm vendor_file
+/vendor_dlkm/does_not_exist vendor_file
+/vendor/vendor_dlkm vendor_file
+/vendor/vendor_dlkm/does_not_exist vendor_file
+/system/vendor/vendor_dlkm vendor_file
+/system/vendor/vendor_dlkm/does_not_exist vendor_file
+/vendor_dlkm/etc vendor_configs_file
+/vendor_dlkm/etc/does_not_exist vendor_configs_file
+/vendor/vendor_dlkm/etc vendor_configs_file
+/vendor/vendor_dlkm/etc/does_not_exist vendor_configs_file
+/system/vendor/vendor_dlkm/etc vendor_configs_file
+/system/vendor/vendor_dlkm/etc/does_not_exist vendor_configs_file
+
+/odm_dlkm vendor_file
+/odm_dlkm/does_not_exist vendor_file
+/vendor/odm_dlkm vendor_file
+/vendor/odm_dlkm/does_not_exist vendor_file
+/system/vendor/odm_dlkm vendor_file
+/system/vendor/odm_dlkm/does_not_exist vendor_file
+/odm_dlkm/etc vendor_configs_file
+/odm_dlkm/etc/does_not_exist vendor_configs_file
+/vendor/odm_dlkm/etc vendor_configs_file
+/vendor/odm_dlkm/etc/does_not_exist vendor_configs_file
+/system/vendor/odm_dlkm/etc vendor_configs_file
+/system/vendor/odm_dlkm/etc/does_not_exist vendor_configs_file
+
+/product/vendor_overlay/0/test vendor_file
+/product/vendor_overlay/1/test vendor_file
+/system/product/vendor_overlay/0/test vendor_file
+/system/product/vendor_overlay/1/test vendor_file
+
+/data system_data_root_file
+/data/does_not_exist system_data_file
+/data/system/environ environ_system_data_file
+/data/system/environ/test environ_system_data_file
+/data/system/packages.list packages_list_file
+/data/system/game_mode_intervention.list game_mode_intervention_list_file
+/data/unencrypted unencrypted_data_file
+/data/unencrypted/test unencrypted_data_file
+/data/backup backup_data_file
+/data/backup/test backup_data_file
+/data/secure/backup backup_data_file
+/data/secure/backup/test backup_data_file
+/data/system/ndebugsocket system_ndebug_socket
+/data/system/unsolzygotesocket system_unsolzygote_socket
+/data/drm drm_data_file
+/data/drm/test drm_data_file
+/data/resource-cache resourcecache_data_file
+/data/resource-cache/test resourcecache_data_file
+/data/dalvik-cache dalvikcache_data_file
+/data/dalvik-cache/test dalvikcache_data_file
+/data/ota ota_data_file
+/data/ota/test ota_data_file
+/data/ota_package ota_package_file
+/data/ota_package/test ota_package_file
+/data/adb adb_data_file
+/data/adb/test adb_data_file
+/data/anr anr_data_file
+/data/anr/test anr_data_file
+/data/apex apex_data_file
+/data/apex/test apex_data_file
+/data/apex/active/test staging_data_file
+/data/apex/backup/test staging_data_file
+/data/apex/decompressed/test staging_data_file
+/data/apex/ota_reserved apex_ota_reserved_file
+/data/apex/ota_reserved/test apex_ota_reserved_file
+/data/app apk_data_file
+/data/app/test apk_data_file
+/data/app/test01/oat dalvikcache_data_file
+/data/app/test01/oat/test dalvikcache_data_file
+/data/app/test01/test02/oat dalvikcache_data_file
+/data/app/test01/test02/oat/test dalvikcache_data_file
+/data/app/vmdltest01.tmp apk_tmp_file
+/data/app/vmdltest01.tmp/test apk_tmp_file
+/data/app/vmdltest02.tmp/oat dalvikcache_data_file
+/data/app/vmdltest02.tmp/oat/test dalvikcache_data_file
+/data/app-private apk_private_data_file
+/data/app-private/test apk_private_data_file
+/data/app-private/vmdltest.tmp apk_private_tmp_file
+/data/app-private/vmdltest/does_not_exist.tmp apk_private_tmp_file
+/data/app-private/vmdltest.tmp/test apk_private_tmp_file
+/data/gsi gsi_data_file
+/data/gsi/test gsi_data_file
+/data/gsi_persistent_data gsi_persistent_data_file
+/data/gsi/ota ota_image_data_file
+/data/gsi/ota/test ota_image_data_file
+/data/tombstones tombstone_data_file
+/data/tombstones/test tombstone_data_file
+/data/vendor/tombstones/wifi tombstone_wifi_data_file
+/data/vendor/tombstones/wifi/test tombstone_wifi_data_file
+/data/local/tests shell_test_data_file
+/data/local/tests/test shell_test_data_file
+/data/local/tmp shell_data_file
+/data/local/tmp/test shell_data_file
+/data/local/tmp/ltp nativetest_data_file
+/data/local/tmp/ltp/test nativetest_data_file
+/data/local/traces trace_data_file
+/data/local/traces/test trace_data_file
+/data/media media_userdir_file
+/data/media/test media_rw_data_file
+/data/mediadrm media_data_file
+/data/mediadrm/test media_data_file
+/data/nativetest nativetest_data_file
+/data/nativetest/test nativetest_data_file
+/data/nativetest64 nativetest_data_file
+/data/nativetest64/test nativetest_data_file
+/data/pkg_staging staging_data_file
+/data/pkg_staging/test staging_data_file
+/data/property property_data_file
+/data/property/test property_data_file
+/data/preloads preloads_data_file
+/data/preloads/test preloads_data_file
+/data/preloads/media preloads_media_file
+/data/preloads/media/test preloads_media_file
+/data/preloads/demo preloads_media_file
+/data/preloads/demo/test preloads_media_file
+/data/server_configurable_flags server_configurable_flags_data_file
+/data/server_configurable_flags/test server_configurable_flags_data_file
+/data/app-staging staging_data_file
+/data/app-staging/test staging_data_file
+/data/rollback/0/test/test.apk apk_data_file
+/data/rollback/999/test/test.apex staging_data_file
+/data/fonts/files font_data_file
+/data/fonts/files/test font_data_file
+/data/misc_ce system_userdir_file
+/data/misc_de system_userdir_file
+/data/system_ce system_userdir_file
+/data/system_de system_userdir_file
+/data/user system_userdir_file
+/data/user_de system_userdir_file
+
+/data/misc/adb adb_keys_file
+/data/misc/adb/test adb_keys_file
+/data/misc/a11ytrace accessibility_trace_data_file
+/data/misc/a11ytrace/test accessibility_trace_data_file
+/data/misc/apexdata apex_module_data_file
+/data/misc/apexdata/test apex_module_data_file
+/data/misc/apexdata/com.android.art apex_art_data_file
+/data/misc/apexdata/com.android.art/test apex_art_data_file
+/data/misc/apexdata/com.android.compos apex_compos_data_file
+/data/misc/apexdata/com.android.compos/test apex_compos_data_file
+/data/misc/apexdata/com.android.virt apex_virt_data_file
+/data/misc/apexdata/com.android.virt/test apex_virt_data_file
+/data/misc/apexdata/com.android.permission apex_system_server_data_file
+/data/misc/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc/apexdata/com.android.scheduling apex_system_server_data_file
+/data/misc/apexdata/com.android.scheduling/test apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering apex_system_server_data_file
+/data/misc/apexdata/com.android.tethering/test apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc/apexdata/com.android.uwb/test apex_system_server_data_file
+/data/misc/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc/apexrollback apex_rollback_data_file
+/data/misc/apexrollback/test apex_rollback_data_file
+/data/misc/apns radio_data_file
+/data/misc/apns/test radio_data_file
+/data/misc/appcompat appcompat_data_file
+/data/misc/appcompat/test appcompat_data_file
+/data/misc/audio audio_data_file
+/data/misc/audio/test audio_data_file
+/data/misc/audioserver audioserver_data_file
+/data/misc/audioserver/test audioserver_data_file
+/data/misc/audiohal audiohal_data_file
+/data/misc/audiohal/test audiohal_data_file
+/data/misc/bootstat bootstat_data_file
+/data/misc/bootstat/test bootstat_data_file
+/data/misc/boottrace boottrace_data_file
+/data/misc/boottrace/test boottrace_data_file
+/data/misc/bluetooth bluetooth_data_file
+/data/misc/bluetooth/test bluetooth_data_file
+/data/misc/bluetooth/logs bluetooth_logs_data_file
+/data/misc/bluetooth/logs/test bluetooth_logs_data_file
+/data/misc/bluedroid bluetooth_data_file
+/data/misc/bluedroid/test bluetooth_data_file
+/data/misc/bluedroid/.a2dp_ctrl bluetooth_socket
+/data/misc/bluedroid/.a2dp_data bluetooth_socket
+/data/misc/camera camera_data_file
+/data/misc/camera/test camera_data_file
+/data/misc/carrierid radio_data_file
+/data/misc/carrierid/test radio_data_file
+/data/misc/dhcp dhcp_data_file
+/data/misc/dhcp/test dhcp_data_file
+/data/misc/dhcp-6.8.2 dhcp_data_file
+/data/misc/dhcp-6.8.2/test dhcp_data_file
+/data/misc/dmesgd dmesgd_data_file
+/data/misc/dmesgd/test dmesgd_data_file
+/data/misc/emergencynumberdb emergency_data_file
+/data/misc/emergencynumberdb/test emergency_data_file
+/data/misc/gatekeeper gatekeeper_data_file
+/data/misc/gatekeeper/test gatekeeper_data_file
+/data/misc/incidents incident_data_file
+/data/misc/incidents/test incident_data_file
+/data/misc/installd install_data_file
+/data/misc/installd/test install_data_file
+/data/misc/keychain keychain_data_file
+/data/misc/keychain/test keychain_data_file
+/data/misc/credstore credstore_data_file
+/data/misc/credstore/test credstore_data_file
+/data/misc/keystore keystore_data_file
+/data/misc/keystore/test keystore_data_file
+/data/misc/logd misc_logd_file
+/data/misc/logd/test misc_logd_file
+/data/misc/media media_data_file
+/data/misc/media/test media_data_file
+/data/misc/net net_data_file
+/data/misc/net/test net_data_file
+/data/misc/network_watchlist network_watchlist_data_file
+/data/misc/network_watchlist/test network_watchlist_data_file
+/data/misc/nfc/logs nfc_logs_data_file
+/data/misc/nfc/logs/test nfc_logs_data_file
+/data/misc/odrefresh odrefresh_data_file
+/data/misc/odrefresh/test odrefresh_data_file
+/data/misc/odsign odsign_data_file
+/data/misc/odsign/test odsign_data_file
+/data/misc/odsign/metrics odsign_metrics_file
+/data/misc/odsign/metrics/test odsign_metrics_file
+/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
+/data/misc/perfetto-traces perfetto_traces_data_file
+/data/misc/perfetto-traces/test perfetto_traces_data_file
+/data/misc/perfetto-configs perfetto_configs_data_file
+/data/misc/perfetto-configs/test perfetto_configs_data_file
+/data/misc/prereboot prereboot_data_file
+/data/misc/prereboot/test prereboot_data_file
+/data/misc/profcollectd profcollectd_data_file
+/data/misc/profcollectd/test profcollectd_data_file
+/data/misc/radio radio_core_data_file
+/data/misc/radio/test radio_core_data_file
+/data/misc/recovery recovery_data_file
+/data/misc/recovery/test recovery_data_file
+/data/misc/shared_relro shared_relro_file
+/data/misc/shared_relro/test shared_relro_file
+/data/misc/sms radio_data_file
+/data/misc/sms/test radio_data_file
+/data/misc/snapshotctl_log snapshotctl_log_data_file
+/data/misc/snapshotctl_log/test snapshotctl_log_data_file
+/data/misc/stats-active-metric stats_data_file
+/data/misc/stats-active-metric/test stats_data_file
+/data/misc/stats-data stats_data_file
+/data/misc/stats-data/test stats_data_file
+/data/misc/stats-service stats_config_data_file
+/data/misc/stats-service/test stats_config_data_file
+/data/misc/stats-metadata stats_data_file
+/data/misc/stats-metadata/test stats_data_file
+/data/misc/systemkeys systemkeys_data_file
+/data/misc/systemkeys/test systemkeys_data_file
+/data/misc/textclassifier textclassifier_data_file
+/data/misc/textclassifier/test textclassifier_data_file
+/data/misc/threadnetwork threadnetwork_data_file
+/data/misc/threadnetwork/test threadnetwork_data_file
+/data/misc/train-info stats_data_file
+/data/misc/train-info/test stats_data_file
+/data/misc/user misc_user_data_file
+/data/misc/user/test misc_user_data_file
+/data/misc/virtualizationservice virtualizationservice_data_file
+/data/misc/virtualizationservice/test virtualizationservice_data_file
+/data/misc/vpn vpn_data_file
+/data/misc/vpn/test vpn_data_file
+/data/misc/wifi wifi_data_file
+/data/misc/wifi/test wifi_data_file
+/data/misc_ce/0/wifi wifi_data_file
+/data/misc_ce/99/wifi/test wifi_data_file
+/data/misc/wifi/sockets wpa_socket
+/data/misc/wifi/sockets/test wpa_socket
+/data/misc/wifi/sockets/wpa_ctrl_test system_wpa_socket
+/data/misc/wifi/sockets/wpa_ctrl.rc system_wpa_socket
+/data/misc/vold vold_data_file
+/data/misc/vold/test vold_data_file
+/data/misc/update_engine update_engine_data_file
+/data/misc/update_engine/test update_engine_data_file
+/data/misc/update_engine_log update_engine_log_data_file
+/data/misc/update_engine_log/test update_engine_log_data_file
+/data/misc/snapuserd_log snapuserd_log_data_file
+/data/misc/snapuserd_log/test snapuserd_log_data_file
+/data/system/dropbox dropbox_data_file
+/data/system/dropbox/test dropbox_data_file
+/data/system/heapdump heapdump_data_file
+/data/system/heapdump/test heapdump_data_file
+/data/misc/trace method_trace_data_file
+/data/misc/trace/test method_trace_data_file
+/data/misc/wmtrace wm_trace_data_file
+/data/misc/wmtrace/test wm_trace_data_file
+/data/misc/profiles/cur/0 user_profile_root_file
+/data/misc/profiles/cur/9 user_profile_root_file
+/data/misc/profiles/cur/0/test user_profile_data_file
+/data/misc/profiles/ref user_profile_data_file
+/data/misc/profiles/ref/test user_profile_data_file
+/data/misc/profman profman_dump_data_file
+/data/misc/profman/test profman_dump_data_file
+/data/vendor vendor_data_file
+/data/vendor/test vendor_data_file
+/data/vendor_ce vendor_userdir_file
+/data/vendor_ce/test vendor_data_file
+/data/vendor_de vendor_userdir_file
+/data/vendor_de/test vendor_data_file
+
+/data/misc_de/0/storaged storaged_data_file
+/data/misc_de/99/storaged/test storaged_data_file
+/data/misc_ce/0/storaged storaged_data_file
+/data/misc_ce/99/storaged/test storaged_data_file
+
+/data/misc_ce/0/checkin checkin_data_file
+/data/misc_ce/99/checkin/test checkin_data_file
+
+/data/system/users/0/fpdata fingerprintd_data_file
+/data/system/users/99/fpdata/test fingerprintd_data_file
+/data/vendor_de/0/fpdata fingerprint_vendor_data_file
+/data/vendor_de/99/fpdata/test fingerprint_vendor_data_file
+/data/vendor_de/0/facedata face_vendor_data_file
+/data/vendor_de/99/facedata/test face_vendor_data_file
+/data/vendor_ce/0/facedata face_vendor_data_file
+/data/vendor_ce/99/facedata/test face_vendor_data_file
+/data/vendor_de/0/irisdata iris_vendor_data_file
+/data/vendor_de/99/irisdata/test iris_vendor_data_file
+
+/data/bootchart bootchart_data_file
+/data/bootchart/test bootchart_data_file
+
+/data/misc_de/0/sdksandbox sdk_sandbox_system_data_file
+/data/misc_de/99/sdksandbox sdk_sandbox_system_data_file
+/data/misc_ce/0/sdksandbox sdk_sandbox_system_data_file
+/data/misc_ce/99/sdksandbox sdk_sandbox_system_data_file
+
+/data/misc_de/0/rollback rollback_data_file
+/data/misc_de/99/rollback/test rollback_data_file
+/data/misc_ce/0/rollback rollback_data_file
+/data/misc_ce/99/rollback/test rollback_data_file
+
+/data/misc_de/0/apexdata apex_module_data_file
+/data/misc_de/99/apexdata/test apex_module_data_file
+/data/misc_ce/0/apexdata apex_module_data_file
+/data/misc_ce/99/apexdata/test apex_module_data_file
+/data/misc_ce/0/apexdata/com.android.appsearch apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.appsearch/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.permission apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.permission apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.permission/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.wifi apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.wifi/test apex_system_server_data_file
+/data/misc_de/0/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc_de/99/apexdata/com.android.uwb/test apex_system_server_data_file
+/data/misc_ce/0/apexdata/com.android.uwb apex_system_server_data_file
+/data/misc_ce/99/apexdata/com.android.uwb/test apex_system_server_data_file
+
+/data/misc_de/0/apexrollback apex_rollback_data_file
+/data/misc_de/99/apexrollback/test apex_rollback_data_file
+/data/misc_ce/0/apexrollback apex_rollback_data_file
+/data/misc_ce/99/apexrollback/test apex_rollback_data_file
+
+/data/incremental apk_data_file
+/data/incremental/test apk_data_file
+/data/incremental/MT_test/mount/.pending_reads incremental_control_file
+/data/incremental/MT_test/mount/.log incremental_control_file
+/data/incremental/MT_test/mount/.blocks_written incremental_control_file
+
+/data/misc/bootanim bootanim_data_file
+/data/misc/bootanim/test bootanim_data_file
+/mnt/expand mnt_expand_file
+/mnt/expand/does_not_exist system_data_file
+/mnt/expand/test/test system_data_file
+/mnt/expand/test/app apk_data_file
+/mnt/expand/test/app/test apk_data_file
+/mnt/expand/test/app/test/oat dalvikcache_data_file
+/mnt/expand/test/app/test/oat/test dalvikcache_data_file
+/mnt/expand/test/app/test/test/oat dalvikcache_data_file
+/mnt/expand/test/app/test/test/oat/test dalvikcache_data_file
+/mnt/expand/test/app/vmdltest.tmp apk_tmp_file
+/mnt/expand/test/app/vmdltest.tmp/test apk_tmp_file
+/mnt/expand/test/app/vmdltest.tmp/oat dalvikcache_data_file
+/mnt/expand/test/app/vmdltest.tmp/oat/test dalvikcache_data_file
+/mnt/expand/test/local/tmp shell_data_file
+/mnt/expand/test/local/tmp/test shell_data_file
+/mnt/expand/test/media media_userdir_file
+/mnt/expand/test/media/test media_rw_data_file
+/mnt/expand/test/misc/vold vold_data_file
+/mnt/expand/test/misc/vold/test vold_data_file
+/mnt/expand/test/misc_ce system_userdir_file
+/mnt/expand/test/misc_de system_userdir_file
+/mnt/expand/test/user system_userdir_file
+/mnt/expand/test/user_de system_userdir_file
+
+/cores coredump_file
+/cores/test coredump_file
+
+/data/system/users/0/wallpaper_lock_orig wallpaper_file
+/data/system/users/99/wallpaper_lock wallpaper_file
+/data/system/users/0/wallpaper_orig wallpaper_file
+/data/system/users/10/wallpaper wallpaper_file
+
+/data/system_de/0/ringtones ringtone_file
+/data/system_de/0/ringtones/test ringtone_file
+
+/data/system_ce/0/shortcut_service/bitmaps shortcut_manager_icons
+/data/system_ce/9/shortcut_service/bitmaps/test shortcut_manager_icons
+
+/data/system/users/10/photo.png icon_file
+
+/data/system/shutdown-checkpoints shutdown_checkpoints_system_data_file
+/data/system/shutdown-checkpoints/test shutdown_checkpoints_system_data_file
+
+/data/misc_de/0/vold vold_data_file
+/data/misc_de/99/vold/test vold_data_file
+/data/misc_ce/0/vold vold_data_file
+/data/misc_ce/99/vold/test vold_data_file
+
+/data/system_ce/0/backup backup_data_file
+/data/system_ce/99/backup/test backup_data_file
+/data/system_ce/0/backup_stage backup_data_file
+/data/system_ce/99/backup_stage/test backup_data_file
+
+/efs efs_file
+/efs/test efs_file
+
+/cache cache_file
+/cache/test cache_file
+/cache/recovery cache_recovery_file
+/cache/recovery/test cache_recovery_file
+/cache/backup_stage cache_backup_file
+/cache/backup_stage/test cache_backup_file
+/cache/backup cache_private_backup_file
+/cache/backup/test cache_private_backup_file
+
+/cache/overlay overlayfs_file
+/cache/overlay/test overlayfs_file
+/mnt/scratch overlayfs_file
+/mnt/scratch/test overlayfs_file
+
+/data/cache cache_file
+/data/cache/test cache_file
+/data/cache/recovery cache_recovery_file
+/data/cache/recovery/test cache_recovery_file
+/data/cache/backup_stage cache_backup_file
+/data/cache/backup_stage/test cache_backup_file
+/data/cache/backup cache_private_backup_file
+/data/cache/backup/test cache_private_backup_file
+
+/metadata metadata_file
+/metadata/test metadata_file
+/metadata/apex apex_metadata_file
+/metadata/apex/test apex_metadata_file
+/metadata/vold vold_metadata_file
+/metadata/vold/test vold_metadata_file
+/metadata/gsi gsi_metadata_file
+/metadata/gsi/test gsi_metadata_file
+/metadata/gsi/dsu/active gsi_public_metadata_file
+/metadata/gsi/dsu/booted gsi_public_metadata_file
+/metadata/gsi/dsu/lp_names gsi_public_metadata_file
+/metadata/gsi/dsu/test/metadata_encryption_dir gsi_public_metadata_file
+/metadata/gsi/ota ota_metadata_file
+/metadata/gsi/ota/test ota_metadata_file
+/metadata/password_slots password_slot_metadata_file
+/metadata/password_slots/test password_slot_metadata_file
+/metadata/ota ota_metadata_file
+/metadata/ota/test ota_metadata_file
+/metadata/bootstat metadata_bootstat_file
+/metadata/bootstat/test metadata_bootstat_file
+/metadata/staged-install staged_install_file
+/metadata/staged-install/test staged_install_file
+/metadata/userspacereboot userspace_reboot_metadata_file
+/metadata/userspacereboot/test userspace_reboot_metadata_file
+/metadata/watchdog watchdog_metadata_file
+/metadata/watchdog/test watchdog_metadata_file
+/metadata/repair-mode repair_mode_metadata_file
+/metadata/repair-mode/test repair_mode_metadata_file
+
+/mnt/asec asec_apk_file
+/mnt/asec/test asec_apk_file
+/mnt/asec/test/test.zip asec_public_file
+/mnt/asec/test/lib asec_public_file
+/mnt/asec/test/lib/test asec_public_file
+/data/app-asec asec_image_file
+/data/app-asec/test asec_image_file
+
+/mnt/media_rw mnt_media_rw_file
+/mnt/media_rw/test mnt_media_rw_file
+/mnt/user mnt_user_file
+/mnt/user/test mnt_user_file
+/mnt/pass_through mnt_pass_through_file
+/mnt/pass_through/test mnt_pass_through_file
+/mnt/sdcard mnt_sdcard_file
+/mnt/runtime storage_file
+/mnt/runtime/test storage_file
+/storage storage_file
+/storage/test storage_file
+
+/mnt/vendor mnt_vendor_file
+/mnt/vendor/test mnt_vendor_file
+
+/mnt/product mnt_product_file
+/mnt/product/test mnt_product_file
+
+/system/bin/check_dynamic_partitions postinstall_exec
+/product/bin/check_dynamic_partitions postinstall_exec
+/system/bin/otapreopt_script postinstall_exec
+/product/bin/otapreopt_script postinstall_exec
+/system/bin/otapreopt postinstall_dexopt_exec
+/product/bin/otapreopt postinstall_dexopt_exec
diff --git a/definitions.mk b/definitions.mk
deleted file mode 100644
index 63c4d94..0000000
--- a/definitions.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-# Command to turn collection of policy files into a policy.conf file to be
-# processed by checkpolicy
-define transform-policy-to-conf
-@mkdir -p $(dir $@)
-$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
- -D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
- -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
- -D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
- -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
- -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
- -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
- -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
- $(PRIVATE_TGT_RECOVERY) \
- -s $(PRIVATE_POLICY_FILES) > $@
-endef
-.KATI_READONLY := transform-policy-to-conf
-
-###########################################################
-## Collect file_contexts files into a single tmp file with m4
-##
-## $(1): list of file_contexts files
-## $(2): filename into which file_contexts files are merged
-###########################################################
-
-define _merge-fc-files
-$(2): $(1) $(M4)
- $(hide) mkdir -p $$(dir $$@)
- $(hide) $(M4) --fatal-warnings -s $(1) > $$@
-endef
-
-define merge-fc-files
-$(eval $(call _merge-fc-files,$(1),$(2)))
-endef
diff --git a/flagging/Android.bp b/flagging/Android.bp
new file mode 100644
index 0000000..55e116b
--- /dev/null
+++ b/flagging/Android.bp
@@ -0,0 +1,38 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains a list of flags for sepolicy.
+se_policy_conf_defaults {
+ name: "se_policy_conf_flags_defaults",
+ srcs: [":sepolicy_flagging_macros"],
+ flags: [
+ "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
+ "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
+ ],
+}
+
+contexts_defaults {
+ name: "contexts_flags_defaults",
+ srcs: [":sepolicy_flagging_macros"],
+ neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
+ flags: [
+ "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
+ "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
+ ],
+}
+
+filegroup {
+ name: "sepolicy_flagging_macros",
+ srcs: ["te_macros"],
+}
diff --git a/flagging/te_macros b/flagging/te_macros
new file mode 100644
index 0000000..3464502
--- /dev/null
+++ b/flagging/te_macros
@@ -0,0 +1,9 @@
+####################################
+# is_flag_enabled(flag, rules)
+# SELinux rules which apply only if given feature is turned on
+define(`is_flag_enabled', `ifelse(target_flag_$1, `true', `$2')')
+
+####################################
+# is_flag_disabled(flag, rules)
+# SELinux rules which apply only if given feature is turned off
+define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
diff --git a/mac_permissions/Android.bp b/mac_permissions/Android.bp
index 401f78c..16132c6 100644
--- a/mac_permissions/Android.bp
+++ b/mac_permissions/Android.bp
@@ -72,14 +72,14 @@
mac_permissions {
name: "vendor_mac_permissions.xml",
keys: [
- ":keys.conf{.plat_vendor_for_vendor}",
+ ":keys.conf{.plat_vendor}",
":keys.conf{.vendor}",
- ":keys.conf{.reqd_mask_for_vendor}",
+ ":keys.conf{.reqd_mask}",
],
srcs: [
- ":mac_permissions.xml{.plat_vendor_for_vendor}",
+ ":mac_permissions.xml{.plat_vendor}",
":mac_permissions.xml{.vendor}",
- ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ":mac_permissions.xml{.reqd_mask}",
],
vendor: true,
}
@@ -88,11 +88,11 @@
name: "odm_mac_permissions.xml",
keys: [
":keys.conf{.odm}",
- ":keys.conf{.reqd_mask_for_vendor}",
+ ":keys.conf{.reqd_mask}",
],
srcs: [
":mac_permissions.xml{.odm}",
- ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ":mac_permissions.xml{.reqd_mask}",
],
device_specific: true,
}
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 12bb8f7..f24f31d 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -233,7 +233,7 @@
se_policy_binary {
name: "microdroid_precompiled_sepolicy",
- stem: "precompiled_sepolicy",
+ stem: "microdroid_precompiled_sepolicy",
srcs: [
":microdroid_plat_sepolicy.cil",
":microdroid_plat_mapping_file",
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 1e8529b..118425a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -252,6 +252,10 @@
# Properties that microdroid doesn't have but some still want to read.
dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
+# Allow all processes to "read" non_existing_prop to suppress libc's access denial logs.
+# dontaudit is not enough; it's still fine because they can't be written, by neverallow rules
+get_prop(domain, non_existing_prop)
+
###
### neverallow rules
###
@@ -410,7 +414,7 @@
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-neverallow { domain -init } proc:{ file dir } mounton;
+neverallow { domain -init } proc_type:{ file dir } mounton;
# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
index 5fa2e3a..61c89a1 100644
--- a/microdroid/system/private/encryptedstore.te
+++ b/microdroid/system/private/encryptedstore.te
@@ -34,10 +34,13 @@
# encryptedstore to mount on tmpfs bases directory (/mnt/)
allow encryptedstore tmpfs:dir { add_name create mounton write };
-# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the later
+# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the latter
allow encryptedstore labeledfs:filesystem { relabelfrom };
allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
+# chmod the root directory
+allow encryptedstore encryptedstore_file:dir setattr;
+
# allow encryptedstore to log to the kernel
allow encryptedstore kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index c6ed654..62ca9b7 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -14,10 +14,6 @@
type authfs_fuse, fs_type, contextmount_type;
-# /dev/selinux/test - used to verify that apex sepolicy is loaded and
-# property labeled.
-type sepolicy_test_file, file_type;
-
# /system/bin/mke2fs - used to format encryptedstore block device
type e2fs_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index e483237..046f20f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -72,7 +72,9 @@
/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info u:object_r:property_info:s0
#############################
# Linker configuration
#
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 408418c..896590d 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -32,11 +32,11 @@
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-# /dev/__properties__
+# /dev/__properties__ and /dev/__properties__/appcompat_override
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties__/appcompat_override/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/socket
@@ -57,6 +57,9 @@
# setrlimit
allow init self:global_capability_class_set sys_resource;
+# Set usermodehelpers.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
+
# Remove /dev/.booting and load /debug_ramdisk/* files
allow init tmpfs:file { getattr unlink };
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index e81173d..1d03c4a 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -81,16 +81,3 @@
#-----------------------------------------
allow kernel apkdmverity:fd use;
-
-# Some contexts are changed before the device is flipped into enforcing mode
-# during the setup of Apex sepolicy. These denials can be suppressed since
-# the permissions should not be allowed after the device is flipped into
-# enforcing mode.
-dontaudit kernel device:dir { open read relabelto };
-dontaudit kernel tmpfs:file { getattr open read relabelfrom };
-dontaudit kernel {
- file_contexts_file
- property_contexts_file
- sepolicy_test_file
- service_contexts_file
-}:file relabelto;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 23b5033..2aed367 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -34,9 +34,10 @@
# Allow microdroid_manager to remove capabilities from it's capability bounding set.
allow microdroid_manager self:global_capability_class_set setpcap;
-# Allow microdroid_manager to start payload tasks
+# Allow microdroid_manager to start payload tasks in a different uid/gid.
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
+allow microdroid_manager self:global_capability_class_set { setuid setgid };
# Allow microdroid_manager to start apk verity binaries
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index c1974c7..e4315a2 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -8,13 +8,6 @@
# microdroid_launcher is launched by microdroid_manager with fork/execvp.
allow microdroid_payload microdroid_manager:fd use;
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
- allow microdroid_payload shell:fd use;
-')
-
# Allow to use terminal
allow microdroid_payload devpts:chr_file rw_file_perms;
@@ -27,6 +20,10 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
+# Read from console. Note that both /dev/kmsg and /dev/console are backed
+# by the same file in the host.
+allow microdroid_payload console_device:chr_file r_file_perms;
+
# Allow microdroid_payload to host binder servers via vsock. Listening
# for connections from the host is permitted, but connecting out to
# the host is not. Inbound connections are mediated by
@@ -60,5 +57,23 @@
allow microdroid_payload encryptedstore_file:dir create_dir_perms;
allow microdroid_payload encryptedstore_file:file create_file_perms;
+# Payload can access devices labeled as payload accessible.
+allow microdroid_payload payload_accessible_device:chr_file rw_file_perms;
+
# Never allow microdroid_payload to connect to vsock
neverallow microdroid_payload self:vsock_socket connect;
+
+# Nothing else should be accessing the payload's storage
+neverallow { domain
+ -microdroid_payload
+ -microdroid_manager
+ -encryptedstore
+ -init
+ -vendor_init
+} encryptedstore_file:dir { read write };
+neverallow { domain
+ -microdroid_payload
+ -microdroid_manager
+ -init
+ -vendor_init
+} encryptedstore_file:file no_rw_file_perms;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index de32003..98c483a 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -5,6 +5,7 @@
system_public_prop(dalvik_dynamic_config_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
+system_restricted_prop(non_existing_prop)
typeattribute dalvik_config_prop dalvik_config_prop_type;
typeattribute dalvik_dynamic_config_prop dalvik_config_prop_type;
@@ -61,3 +62,8 @@
-microdroid_manager
-crash_dump
} {microdroid_config_prop}:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+} non_existing_prop:property_service set;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index e74d6d2..2bd5a22 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -145,6 +145,7 @@
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag. u:object_r:non_existing_prop:s0 prefix string
persist.sys.timezone u:object_r:timezone_prop:s0 exact string
@@ -171,3 +172,21 @@
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
+
+# These non_existing_prop properties are unused in microdroid, but added here to suppress libc's
+# access denial logs.
+libc.debug.gwp_asan. u:object_r:non_existing_prop:s0 prefix string
+persist.libc.debug.gwp_asan. u:object_r:non_existing_prop:s0 prefix string
+persist.adb.tls_server.enable u:object_r:non_existing_prop:s0 exact bool
+persist.adb.watchdog.timeout_secs u:object_r:non_existing_prop:s0 exact int
+persist.adb.watchdog u:object_r:non_existing_prop:s0 exact bool
+persist.device_config. u:object_r:non_existing_prop:s0 prefix string
+persist.sys.test_harness u:object_r:non_existing_prop:s0 exact bool
+ro.arch u:object_r:non_existing_prop:s0 exact string
+ro.boot.vsock_tombstone_port u:object_r:non_existing_prop:s0 exact int
+ro.product.device u:object_r:non_existing_prop:s0 exact string
+ro.product.model u:object_r:non_existing_prop:s0 exact string
+ro.product.name u:object_r:non_existing_prop:s0 exact string
+ro.product.vndk.version u:object_r:non_existing_prop:s0 exact string
+ro.secure u:object_r:non_existing_prop:s0 exact bool
+ro.serialno u:object_r:non_existing_prop:s0 exact string
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 038be00..5267348 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -7,11 +7,6 @@
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
-# Allow shell to launch microdroid_launcher in its own domain
-# TODO(b/186396070) remove this when microdroid_manager can do this
-domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
-domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
-
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow shell adbd:unix_stream_socket connectto;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 1a64b62..dfae6f9 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -12,6 +12,7 @@
type null_device, dev_type;
type open_dice_device, dev_type;
type owntty_device, dev_type;
+type payload_accessible_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
diff --git a/policy_version.mk b/policy_version.mk
deleted file mode 100644
index e6bb747..0000000
--- a/policy_version.mk
+++ /dev/null
@@ -1,4 +0,0 @@
-# SELinux policy version.
-# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
-# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
diff --git a/prebuilts/api/29.0/Android.bp b/prebuilts/api/29.0/Android.bp
new file mode 100644
index 0000000..fd2099f
--- /dev/null
+++ b/prebuilts/api/29.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "29.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_29.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_plat_pub_policy.cil",
+ src: ":29.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "29.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_29.0}",
+ ":se_build_files{.system_ext_public_29.0}",
+ ":se_build_files{.product_public_29.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_product_pub_policy.cil",
+ src: ":29.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "29.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_29.0}",
+ ":se_build_files{.plat_private_29.0}",
+ ":se_build_files{.system_ext_public_29.0}",
+ ":se_build_files{.system_ext_private_29.0}",
+ ":se_build_files{.product_public_29.0}",
+ ":se_build_files{.product_private_29.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_plat_policy.cil",
+ src: ":29.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_29.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "29.0_plat_policy",
+ srcs: [":29.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/30.0/Android.bp b/prebuilts/api/30.0/Android.bp
new file mode 100644
index 0000000..b958de0
--- /dev/null
+++ b/prebuilts/api/30.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "30.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_30.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_plat_pub_policy.cil",
+ src: ":30.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "30.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_30.0}",
+ ":se_build_files{.system_ext_public_30.0}",
+ ":se_build_files{.product_public_30.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_product_pub_policy.cil",
+ src: ":30.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "30.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_30.0}",
+ ":se_build_files{.plat_private_30.0}",
+ ":se_build_files{.system_ext_public_30.0}",
+ ":se_build_files{.system_ext_private_30.0}",
+ ":se_build_files{.product_public_30.0}",
+ ":se_build_files{.product_private_30.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_plat_policy.cil",
+ src: ":30.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_30.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "30.0_plat_policy",
+ srcs: [":30.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/31.0/Android.bp b/prebuilts/api/31.0/Android.bp
new file mode 100644
index 0000000..dbb07b4
--- /dev/null
+++ b/prebuilts/api/31.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "31.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_31.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_plat_pub_policy.cil",
+ src: ":31.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "31.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_31.0}",
+ ":se_build_files{.system_ext_public_31.0}",
+ ":se_build_files{.product_public_31.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_product_pub_policy.cil",
+ src: ":31.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "31.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_31.0}",
+ ":se_build_files{.plat_private_31.0}",
+ ":se_build_files{.system_ext_public_31.0}",
+ ":se_build_files{.system_ext_private_31.0}",
+ ":se_build_files{.product_public_31.0}",
+ ":se_build_files{.product_private_31.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_plat_policy.cil",
+ src: ":31.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_31.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "31.0_plat_policy",
+ srcs: [":31.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/31.0/public/domain.te b/prebuilts/api/31.0/public/domain.te
index 38266cd..799a2f1 100644
--- a/prebuilts/api/31.0/public/domain.te
+++ b/prebuilts/api/31.0/public/domain.te
@@ -353,10 +353,6 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
-# Allow everyone to read media server-configurable flags, so that libstagefright can be
-# configured using server-configurable flags
-get_prop(domain, device_config_media_native_prop)
-
###
### neverallow rules
###
diff --git a/prebuilts/api/31.0/public/property.te b/prebuilts/api/31.0/public/property.te
index 57b6ad6..1d3f358 100644
--- a/prebuilts/api/31.0/public/property.te
+++ b/prebuilts/api/31.0/public/property.te
@@ -8,6 +8,7 @@
system_internal_prop(device_config_activity_manager_native_boot_prop)
system_internal_prop(device_config_boot_count_prop)
system_internal_prop(device_config_input_native_boot_prop)
+system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
system_internal_prop(firstboot_prop)
@@ -64,7 +65,6 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
-system_restricted_prop(device_config_media_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(fingerprint_prop)
diff --git a/prebuilts/api/32.0/Android.bp b/prebuilts/api/32.0/Android.bp
new file mode 100644
index 0000000..39722b4
--- /dev/null
+++ b/prebuilts/api/32.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "32.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_32.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_plat_pub_policy.cil",
+ src: ":32.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "32.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_32.0}",
+ ":se_build_files{.system_ext_public_32.0}",
+ ":se_build_files{.product_public_32.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_product_pub_policy.cil",
+ src: ":32.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "32.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_32.0}",
+ ":se_build_files{.plat_private_32.0}",
+ ":se_build_files{.system_ext_public_32.0}",
+ ":se_build_files{.system_ext_private_32.0}",
+ ":se_build_files{.product_public_32.0}",
+ ":se_build_files{.product_private_32.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_plat_policy.cil",
+ src: ":32.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_32.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "32.0_plat_policy",
+ srcs: [":32.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/32.0/public/domain.te b/prebuilts/api/32.0/public/domain.te
index 38266cd..799a2f1 100644
--- a/prebuilts/api/32.0/public/domain.te
+++ b/prebuilts/api/32.0/public/domain.te
@@ -353,10 +353,6 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
-# Allow everyone to read media server-configurable flags, so that libstagefright can be
-# configured using server-configurable flags
-get_prop(domain, device_config_media_native_prop)
-
###
### neverallow rules
###
diff --git a/prebuilts/api/32.0/public/property.te b/prebuilts/api/32.0/public/property.te
index f019b23..2b2af6d 100644
--- a/prebuilts/api/32.0/public/property.te
+++ b/prebuilts/api/32.0/public/property.te
@@ -8,6 +8,7 @@
system_internal_prop(device_config_activity_manager_native_boot_prop)
system_internal_prop(device_config_boot_count_prop)
system_internal_prop(device_config_input_native_boot_prop)
+system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
system_internal_prop(firstboot_prop)
@@ -64,7 +65,6 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
-system_restricted_prop(device_config_media_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(fingerprint_prop)
diff --git a/prebuilts/api/33.0/Android.bp b/prebuilts/api/33.0/Android.bp
new file mode 100644
index 0000000..9bc68c6
--- /dev/null
+++ b/prebuilts/api/33.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "33.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_33.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_plat_pub_policy.cil",
+ src: ":33.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "33.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_33.0}",
+ ":se_build_files{.system_ext_public_33.0}",
+ ":se_build_files{.product_public_33.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_product_pub_policy.cil",
+ src: ":33.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "33.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_33.0}",
+ ":se_build_files{.plat_private_33.0}",
+ ":se_build_files{.system_ext_public_33.0}",
+ ":se_build_files{.system_ext_private_33.0}",
+ ":se_build_files{.product_public_33.0}",
+ ":se_build_files{.product_private_33.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_plat_policy.cil",
+ src: ":33.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_33.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "33.0_plat_policy",
+ srcs: [":33.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/33.0/private/gmscore_app.te b/prebuilts/api/33.0/private/gmscore_app.te
index 8795798..d615d9b 100644
--- a/prebuilts/api/33.0/private/gmscore_app.te
+++ b/prebuilts/api/33.0/private/gmscore_app.te
@@ -46,6 +46,7 @@
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index f491f15..de529f5 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -359,10 +359,6 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
-# Allow everyone to read media server-configurable flags, so that libstagefright can be
-# configured using server-configurable flags
-get_prop(domain, device_config_media_native_prop)
-
###
### neverallow rules
###
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index 6bd8c07..b8e111b 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -8,6 +8,7 @@
system_internal_prop(device_config_activity_manager_native_boot_prop)
system_internal_prop(device_config_boot_count_prop)
system_internal_prop(device_config_input_native_boot_prop)
+system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
system_internal_prop(firstboot_prop)
@@ -63,7 +64,6 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
-system_restricted_prop(device_config_media_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
diff --git a/prebuilts/api/34.0/Android.bp b/prebuilts/api/34.0/Android.bp
new file mode 100644
index 0000000..499a342
--- /dev/null
+++ b/prebuilts/api/34.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "34.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_34.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_plat_pub_policy.cil",
+ src: ":34.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "34.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_34.0}",
+ ":se_build_files{.system_ext_public_34.0}",
+ ":se_build_files{.product_public_34.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_product_pub_policy.cil",
+ src: ":34.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "34.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_34.0}",
+ ":se_build_files{.plat_private_34.0}",
+ ":se_build_files{.system_ext_public_34.0}",
+ ":se_build_files{.system_ext_private_34.0}",
+ ":se_build_files{.product_public_34.0}",
+ ":se_build_files{.product_private_34.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_plat_policy.cil",
+ src: ":34.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_34.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "34.0_plat_policy",
+ srcs: [":34.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/34.0/private/apexd.te b/prebuilts/api/34.0/private/apexd.te
index f158ef6..b74d4ee 100644
--- a/prebuilts/api/34.0/private/apexd.te
+++ b/prebuilts/api/34.0/private/apexd.te
@@ -102,8 +102,8 @@
allow apexd staging_data_file:file relabelto;
# allow apexd to read files from /vendor/apex
-r_dir_file(apexd, vendor_apex_file)
-r_dir_file(apexd, vendor_apex_metadata_file)
+allow apexd vendor_apex_file:dir r_dir_perms;
+allow apexd vendor_apex_file:file r_file_perms;
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
diff --git a/prebuilts/api/34.0/private/bootstat.te b/prebuilts/api/34.0/private/bootstat.te
index 99d8c6d..016292e 100644
--- a/prebuilts/api/34.0/private/bootstat.te
+++ b/prebuilts/api/34.0/private/bootstat.te
@@ -17,7 +17,6 @@
-dumpstate
userdebug_or_eng(`-incidentd')
-init
- -platform_app
-recovery
-shell
-system_server
diff --git a/prebuilts/api/34.0/private/bpfloader.te b/prebuilts/api/34.0/private/bpfloader.te
index 0ad2c6b..eecda30 100644
--- a/prebuilts/api/34.0/private/bpfloader.te
+++ b/prebuilts/api/34.0/private/bpfloader.te
@@ -41,8 +41,7 @@
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file { getattr read };
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
-neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobe_private:file { getattr read };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
@@ -63,9 +62,8 @@
-netutils_wrapper
-network_stack
-system_server
- -uprobestats
} *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.cil
index 204048e..8fa3985 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.cil
@@ -2544,10 +2544,7 @@
(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
(typeattributeset vendor_app_file_33_0 (vendor_app_file))
(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
-(typeattributeset vendor_configs_file_33_0
- ( vendor_configs_file
- vendor_apex_metadata_file
-))
+(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
(typeattributeset vendor_file_33_0 (vendor_file))
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index ee24b76..201c565 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -47,7 +47,6 @@
hypervisor_restricted_prop
isolated_compute_app
keystore_config_prop
- ntfs
ondevicepersonalization_system_service
fuseblk
fuseblkd_untrusted
@@ -60,6 +59,7 @@
quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
+ repair_mode_metadata_file
rkpdapp
servicemanager_prop
shutdown_checkpoints_system_data_file
diff --git a/prebuilts/api/34.0/private/coredomain.te b/prebuilts/api/34.0/private/coredomain.te
index f9b47df..83930a5 100644
--- a/prebuilts/api/34.0/private/coredomain.te
+++ b/prebuilts/api/34.0/private/coredomain.te
@@ -150,7 +150,6 @@
-apexd
-init
-ueventd
- -vfio_handler
-vold
} sysfs:file no_rw_file_perms;
diff --git a/prebuilts/api/34.0/private/crosvm.te b/prebuilts/api/34.0/private/crosvm.te
index 31d6c19..f1012b7 100644
--- a/prebuilts/api/34.0/private/crosvm.te
+++ b/prebuilts/api/34.0/private/crosvm.te
@@ -91,14 +91,6 @@
allow crosvm adbd:unix_stream_socket ioctl;
allow crosvm node:tcp_socket node_bind;
-# Allow crosvm to interact to VFIO device
-allow crosvm vfio_device:chr_file rw_file_perms;
-allow crosvm vfio_device:dir r_dir_perms;
-
-# Allow crosvm to access VM DTBO via a pipe created by vfio handler.
-allow crosvm vfio_handler:fd use;
-allow crosvm vfio_handler:fifo_file r_file_perms;
-
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/prebuilts/api/34.0/private/derive_classpath.te b/prebuilts/api/34.0/private/derive_classpath.te
index 4f15d5a..2299ba0 100644
--- a/prebuilts/api/34.0/private/derive_classpath.te
+++ b/prebuilts/api/34.0/private/derive_classpath.te
@@ -6,7 +6,6 @@
# Read /apex
allow derive_classpath apex_mnt_dir:dir r_dir_perms;
-allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
# Create /data/system/environ/classpath file
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
diff --git a/prebuilts/api/34.0/private/derive_sdk.te b/prebuilts/api/34.0/private/derive_sdk.te
index c47f0a5..f46c614 100644
--- a/prebuilts/api/34.0/private/derive_sdk.te
+++ b/prebuilts/api/34.0/private/derive_sdk.te
@@ -6,7 +6,6 @@
# Read /apex
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
-allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
set_prop(derive_sdk, module_sdkextensions_prop)
diff --git a/prebuilts/api/34.0/private/dex2oat.te b/prebuilts/api/34.0/private/dex2oat.te
index ea9ab9c..6ada2e2 100644
--- a/prebuilts/api/34.0/private/dex2oat.te
+++ b/prebuilts/api/34.0/private/dex2oat.te
@@ -82,7 +82,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
+allow dex2oat postinstall_apex_mnt_dir:{ file lnk_file } r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te
index 1b5af99..f98a285 100644
--- a/prebuilts/api/34.0/private/domain.te
+++ b/prebuilts/api/34.0/private/domain.te
@@ -609,7 +609,6 @@
-same_process_hal_file
-vendor_app_file
-vendor_apex_file
- -vendor_apex_metadata_file
-vendor_configs_file
-vendor_service_contexts_file
-vendor_framework_file
@@ -678,16 +677,6 @@
# Restrict write access to etm sysfs interface.
neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
-# Restrict CAP_PERFMON.
-neverallow {
- domain
- -init
- -vendor_modprobe
- userdebug_or_eng(`-simpleperf_boot')
- -kernel
- -uprobestats
-} self:capability2 perfmon;
-
# Restrict direct access to shell owned files. The /data/local/tmp directory is
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
diff --git a/prebuilts/api/34.0/private/fastbootd.te b/prebuilts/api/34.0/private/fastbootd.te
index 7dc1741..a189d23 100644
--- a/prebuilts/api/34.0/private/fastbootd.te
+++ b/prebuilts/api/34.0/private/fastbootd.te
@@ -42,6 +42,7 @@
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
+ set_prop(fastbootd, boottime_prop)
# Needed for reading boot properties.
allow fastbootd proc_bootconfig:file r_file_perms;
diff --git a/prebuilts/api/34.0/private/file.te b/prebuilts/api/34.0/private/file.te
index e81108a..f6781b0 100644
--- a/prebuilts/api/34.0/private/file.te
+++ b/prebuilts/api/34.0/private/file.te
@@ -8,7 +8,6 @@
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
type fs_bpf_loader, fs_type, bpffs_type;
-type fs_bpf_uprobe_private, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -134,6 +133,3 @@
# /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
-
-# Type for /sys/devices/uprobe.
-type sysfs_uprobe, fs_type, sysfs_type;
diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index 3612b67..0caddf2 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts
@@ -191,7 +191,6 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
-/dev/vfio(/.*)? u:object_r:vfio_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
@@ -234,9 +233,6 @@
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
-/system/bin/ntfs-3g -- u:object_r:fuseblkd_untrusted_exec:s0
-/system/bin/ntfs-3g-compart -- u:object_r:fuseblkd_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
@@ -387,7 +383,6 @@
/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
-/system/bin/uprobestats u:object_r:uprobestats_exec:s0
#############################
# Vendor files
@@ -846,6 +841,7 @@
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
#############################
# asec containers
diff --git a/prebuilts/api/34.0/private/genfs_contexts b/prebuilts/api/34.0/private/genfs_contexts
index 8ad21e6..759ac38 100644
--- a/prebuilts/api/34.0/private/genfs_contexts
+++ b/prebuilts/api/34.0/private/genfs_contexts
@@ -176,7 +176,6 @@
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
-genfscon sysfs /devices/uprobe u:object_r:sysfs_uprobe:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
@@ -411,4 +410,3 @@
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
-genfscon bpf /uprobe_private u:object_r:fs_bpf_uprobe_private:s0
diff --git a/prebuilts/api/34.0/private/gmscore_app.te b/prebuilts/api/34.0/private/gmscore_app.te
index 46b90c6..b662f4f 100644
--- a/prebuilts/api/34.0/private/gmscore_app.te
+++ b/prebuilts/api/34.0/private/gmscore_app.te
@@ -46,6 +46,7 @@
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/34.0/private/gsid.te b/prebuilts/api/34.0/private/gsid.te
index e795cea..9391016 100644
--- a/prebuilts/api/34.0/private/gsid.te
+++ b/prebuilts/api/34.0/private/gsid.te
@@ -150,7 +150,7 @@
allow gsid {
gsi_data_file
ota_image_data_file
-}:dir rw_dir_perms;
+}:dir create_dir_perms;
allow gsid {
gsi_data_file
ota_image_data_file
diff --git a/prebuilts/api/34.0/private/linkerconfig.te b/prebuilts/api/34.0/private/linkerconfig.te
index bd46ca4..7e78c19 100644
--- a/prebuilts/api/34.0/private/linkerconfig.te
+++ b/prebuilts/api/34.0/private/linkerconfig.te
@@ -19,9 +19,6 @@
# Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms;
-# Allow linkerconfig to read apex_manifest.pb file from vendor apex
-r_dir_file(linkerconfig, vendor_apex_metadata_file)
-
# Allow linkerconfig to be called in the otapreopt_chroot
allow linkerconfig otapreopt_chroot:fd use;
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
diff --git a/prebuilts/api/34.0/private/otapreopt_chroot.te b/prebuilts/api/34.0/private/otapreopt_chroot.te
index ea9d4ee..73e170b 100644
--- a/prebuilts/api/34.0/private/otapreopt_chroot.te
+++ b/prebuilts/api/34.0/private/otapreopt_chroot.te
@@ -36,9 +36,10 @@
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
get_prop(otapreopt_chroot, apexd_prop)
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
+# Allow otapreopt to use file descriptors from update-engine and the postinstall
+# script. It will read dexopt commands from stdin and write progress to stdout.
allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot postinstall:fifo_file { read write getattr };
allow otapreopt_chroot update_engine:fd use;
allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/prebuilts/api/34.0/private/platform_app.te b/prebuilts/api/34.0/private/platform_app.te
index 44de21c..6d49502 100644
--- a/prebuilts/api/34.0/private/platform_app.te
+++ b/prebuilts/api/34.0/private/platform_app.te
@@ -113,9 +113,6 @@
# allow platform apps to read qemu.hw.mainkeys
get_prop(platform_app, qemu_hw_prop)
-# allow platform apps to read sys.boot.reason.last
-get_prop(platform_app, last_boot_reason_prop)
-
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index 7a17035..da0ea5b 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -1111,6 +1111,8 @@
ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.name_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.device_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.manufacturer_for_attestation u:object_r:build_attestation_prop:s0 exact string
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
@@ -1324,6 +1326,7 @@
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.clear_slots_with_set_layer_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/prebuilts/api/34.0/private/service.te b/prebuilts/api/34.0/private/service.te
index 06b03e0..98be17d 100644
--- a/prebuilts/api/34.0/private/service.te
+++ b/prebuilts/api/34.0/private/service.te
@@ -4,6 +4,7 @@
type compos_service, service_manager_type;
type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
+type feature_flags_service, app_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type logcat_service, system_server_service, service_manager_type;
@@ -20,6 +21,5 @@
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
-type vfio_handler_service, service_manager_type;
type uce_service, service_manager_type;
type wearable_sensing_service, system_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/34.0/private/service_contexts b/prebuilts/api/34.0/private/service_contexts
index 8a7069a..553a71d 100644
--- a/prebuilts/api/34.0/private/service_contexts
+++ b/prebuilts/api/34.0/private/service_contexts
@@ -24,7 +24,6 @@
android.hardware.automotive.remoteaccess.IRemoteAccess/default u:object_r:hal_remoteaccess_service:s0
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
-android.hardware.biometrics.face.IFace/virtual u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
@@ -145,7 +144,6 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
-android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
@@ -228,6 +226,7 @@
external_vibrator_service u:object_r:external_vibrator_service:s0
ethernet u:object_r:ethernet_service:s0
face u:object_r:face_service:s0
+feature_flags u:object_r:feature_flags_service:s0
file_integrity u:object_r:file_integrity_service:s0
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
diff --git a/prebuilts/api/34.0/private/shell.te b/prebuilts/api/34.0/private/shell.te
index 181963c..85d09f9 100644
--- a/prebuilts/api/34.0/private/shell.te
+++ b/prebuilts/api/34.0/private/shell.te
@@ -136,7 +136,6 @@
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
allow shell vendor_apex_file:dir r_dir_perms;
-allow shell vendor_apex_metadata_file:dir r_dir_perms;
# Allow shell to read updated APEXes under /data/apex
allow shell apex_data_file:dir search;
diff --git a/prebuilts/api/34.0/private/system_server.te b/prebuilts/api/34.0/private/system_server.te
index 98d859c..aff4a0a 100644
--- a/prebuilts/api/34.0/private/system_server.te
+++ b/prebuilts/api/34.0/private/system_server.te
@@ -1441,6 +1441,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
allow system_server gsi_persistent_data_file:file create_file_perms;
diff --git a/prebuilts/api/34.0/private/uprobestats.te b/prebuilts/api/34.0/private/uprobestats.te
deleted file mode 100644
index f2a4ae3..0000000
--- a/prebuilts/api/34.0/private/uprobestats.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type uprobestats, domain, coredomain;
-
-typeattribute uprobestats bpfdomain;
-
-type uprobestats_exec, system_file_type, exec_type, file_type;
-
-# Allow uprobestats to be invoked by statsd.
-domain_auto_trans(statsd, uprobestats_exec, uprobestats)
-
-allow uprobestats fs_bpf_uprobe_private:file { read write };
-allow uprobestats fs_bpf_uprobe_private:dir search;
-allow uprobestats bpfloader:bpf { map_read map_write prog_run };
-allow uprobestats self:capability2 perfmon;
-allow uprobestats self:perf_event { cpu open write };
-allow uprobestats sysfs_uprobe:file { open read };
-allow uprobestats sysfs_uprobe:dir { search };
diff --git a/prebuilts/api/34.0/private/vfio_handler.te b/prebuilts/api/34.0/private/vfio_handler.te
deleted file mode 100644
index 706a6ca..0000000
--- a/prebuilts/api/34.0/private/vfio_handler.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
-# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
-type vfio_handler, domain, coredomain;
-type vfio_handler_exec, system_file_type, exec_type, file_type;
-
-# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
-init_daemon_domain(vfio_handler)
-
-# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
-add_service(vfio_handler, vfio_handler_service)
-
-# Let the vfio_handler domain use Binder.
-binder_use(vfio_handler)
-
-# Allow vfio_handler to check if VFIO is supported
-allow vfio_handler vfio_device:chr_file getattr;
-allow vfio_handler vfio_device:dir r_dir_perms;
-
-# Allow vfio_handler to bind/unbind platform devices
-allow vfio_handler sysfs:dir r_dir_perms;
-allow vfio_handler sysfs:file rw_file_perms;
-
-# Only vfio_handler can add vfio_handler_service
-neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
diff --git a/prebuilts/api/34.0/private/virtualizationmanager.te b/prebuilts/api/34.0/private/virtualizationmanager.te
index 70338ff..bfad8e7 100644
--- a/prebuilts/api/34.0/private/virtualizationmanager.te
+++ b/prebuilts/api/34.0/private/virtualizationmanager.te
@@ -86,7 +86,3 @@
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
# a harmless denial for CompOS log files, so ignore that.
dontaudit virtualizationmanager apex_module_data_file:dir search;
-
-# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler.
-allow virtualizationmanager vfio_handler:fd use;
-allow virtualizationmanager vfio_handler:fifo_file r_file_perms;
diff --git a/prebuilts/api/34.0/private/virtualizationservice.te b/prebuilts/api/34.0/private/virtualizationservice.te
index a4588dc..561e778 100644
--- a/prebuilts/api/34.0/private/virtualizationservice.te
+++ b/prebuilts/api/34.0/private/virtualizationservice.te
@@ -15,10 +15,6 @@
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
-# Let virtualizationservice find and communicate with vfio_handler.
-allow virtualizationservice vfio_handler_service:service_manager find;
-binder_call(virtualizationservice, vfio_handler)
-
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
@@ -58,14 +54,6 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
-# Allow virtualizationservice to check if VFIO is supported
-allow virtualizationservice vfio_device:chr_file getattr;
-allow virtualizationservice vfio_device:dir r_dir_perms;
-
-# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler.
-allow virtualizationservice vfio_handler:fd use;
-allow virtualizationservice vfio_handler:fifo_file r_file_perms;
-
neverallow {
domain
-init
@@ -84,6 +72,3 @@
-virtualizationmanager
-virtualizationservice
}:process setrlimit;
-
-# Only virtualizationservice can communicate to vfio_handler
-neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
diff --git a/prebuilts/api/34.0/private/zygote.te b/prebuilts/api/34.0/private/zygote.te
index be94a52..d61a431 100644
--- a/prebuilts/api/34.0/private/zygote.te
+++ b/prebuilts/api/34.0/private/zygote.te
@@ -258,7 +258,6 @@
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr };
-allow zygote vendor_apex_metadata_file:dir { search };
# Allow zygote to query for compression/features.
r_dir_file(zygote, sysfs_fs_f2fs)
diff --git a/prebuilts/api/34.0/public/device.te b/prebuilts/api/34.0/public/device.te
index 36299d3..fa29256 100644
--- a/prebuilts/api/34.0/public/device.te
+++ b/prebuilts/api/34.0/public/device.te
@@ -129,6 +129,3 @@
# Root disk file for disk tunables
type rootdisk_sysdev, dev_type;
-
-# vfio device
-type vfio_device, dev_type;
diff --git a/prebuilts/api/34.0/public/file.te b/prebuilts/api/34.0/public/file.te
index 9d43ccb..7cfd8ad 100644
--- a/prebuilts/api/34.0/public/file.te
+++ b/prebuilts/api/34.0/public/file.te
@@ -287,6 +287,8 @@
type staged_install_file, file_type;
# Metadata information within /metadata/watchdog
type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -381,8 +383,6 @@
type staging_data_file, file_type, data_file_type, core_data_file_type;
# /vendor/apex
type vendor_apex_file, vendor_file_type, file_type;
-# apex_manifest.pb in vendor apex
-type vendor_apex_metadata_file, vendor_file_type, file_type;
# /data/system/shutdown-checkpoints
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/prebuilts/api/34.0/public/te_macros b/prebuilts/api/34.0/public/te_macros
index c4ebc63..63805de 100644
--- a/prebuilts/api/34.0/public/te_macros
+++ b/prebuilts/api/34.0/public/te_macros
@@ -1047,7 +1047,6 @@
define(`use_apex_info', `
allow $1 apex_mnt_dir:dir r_dir_perms;
allow $1 apex_info_file:file r_file_perms;
- r_dir_file($1, vendor_apex_metadata_file)
')
####################################
diff --git a/private/access_vectors b/private/access_vectors
index adb3a61..32d73dd 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -726,6 +726,7 @@
early_boot_ended
get_attestation_key
get_auth_token
+ get_last_auth_time
get_state
list
lock
diff --git a/private/apexd.te b/private/apexd.te
index f158ef6..b62e6e6 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -13,14 +13,6 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
-# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
-allow apexd sepolicy_metadata_file:dir create_dir_perms;
-allow apexd sepolicy_metadata_file:file create_file_perms;
-# Allow apexd to setup fs-verity for SEPolicy files in metadata
-allowxperm apexd sepolicy_metadata_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir create_dir_perms;
allow apexd apex_ota_reserved_file:file create_file_perms;
diff --git a/private/app.te b/private/app.te
index 6914fd3..b5bb474 100644
--- a/private/app.te
+++ b/private/app.te
@@ -47,6 +47,7 @@
get_prop(appdomain, dck_prop)
get_prop(appdomain, persist_wm_debug_prop)
get_prop(appdomain, persist_sysui_builder_extras_prop)
+get_prop(appdomain, persist_sysui_ranking_update_prop)
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(appdomain, traced_oome_heap_session_count_prop)
@@ -101,6 +102,10 @@
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+# Don't allow apps reading /system/etc/font_fallback.xml
+dontaudit appdomain system_font_fallback_file:file no_rw_file_perms;
+neverallow appdomain system_font_fallback_file:file no_rw_file_perms;
+
# Allow to read sendbug.preferred.domain
get_prop(appdomain, sendbug_config_prop)
@@ -132,18 +137,21 @@
neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
+allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
-r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
+r_dir_file({ appdomain -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
+allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
# Perform binder IPC to sdk sandbox.
binder_call(appdomain, sdk_sandbox_all)
+# Allow apps to communicate via binder with virtual camera service.
+binder_call(appdomain, virtual_camera)
+
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
@@ -168,14 +176,12 @@
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
#logd access
-control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
+control_logd({ appdomain -ephemeral_app -sdk_sandbox_all })
# application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2 get_state;
use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
@@ -258,6 +264,7 @@
# App sandbox file accesses.
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
+allowxperm { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file ioctl FS_IOC_MEASURE_VERITY;
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
@@ -308,16 +315,16 @@
allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
# Read/write wallpaper file (opened by system).
-allow { appdomain -isolated_app_all } wallpaper_file:file { getattr read write map };
+allow appdomain wallpaper_file:file { getattr read write map };
# Read/write cached ringtones (opened by system).
-allow { appdomain -isolated_app_all } ringtone_file:file { getattr read write map };
+allow appdomain ringtone_file:file { getattr read write map };
# Read ShortcutManager icon files (opened by system).
-allow { appdomain -isolated_app_all } shortcut_manager_icons:file { getattr read map };
+allow appdomain shortcut_manager_icons:file { getattr read map };
# Read icon file (opened by system).
-allow { appdomain -isolated_app_all } icon_file:file { getattr read map };
+allow appdomain icon_file:file { getattr read map };
# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
#
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ea10df5..5ea924a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -295,3 +295,6 @@
# anon_inode usages like userfaultfd and io_uring. This prevents us from
# creating a more fine-grained neverallow policy for each anon_inode usage.
neverallow all_untrusted_apps domain:anon_inode *;
+
+# Do not allow untrusted app access to hidraw devices.
+neverallow all_untrusted_apps hidraw_device:chr_file *;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 6552d63..46cea8e 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -20,6 +20,9 @@
# For JIT
allow app_zygote self:process execmem;
+# Allow exec mapping from tmpfs (memfds) for binary translation
+allow app_zygote app_zygote_tmpfs:file execute;
+
# Allow app_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
@@ -31,6 +34,8 @@
# Interaction between the app_zygote and its children.
allow app_zygote isolated_app:process setpgid;
+allow app_zygote properties_device:dir mounton;
+
# TODO (b/63631799) fix this access
dontaudit app_zygote mnt_expand_file:dir getattr;
@@ -74,6 +79,8 @@
# Allow app_zygote access to /vendor/overlay
r_dir_file(app_zygote, vendor_overlay_file)
+# Allow app_zygote to read vendor_overlay_file from vendor apex as well
+allow app_zygote vendor_apex_metadata_file:dir { getattr search };
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
diff --git a/private/art_boot.te b/private/art_boot.te
index 1b088d6..0922931 100644
--- a/private/art_boot.te
+++ b/private/art_boot.te
@@ -4,6 +4,10 @@
init_daemon_domain(art_boot)
+# Allow query of device config properties, typically experiment flags.
+get_prop(art_boot, device_config_runtime_native_boot_prop)
+get_prop(art_boot, device_config_runtime_native_prop)
+
# Allow ART to set its config properties at boot, mainly to be able to propagate
# experiment flags to properties that only may change at boot.
set_prop(art_boot, dalvik_config_prop_type)
diff --git a/private/artd.te b/private/artd.te
index ef54d8c..acab397 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -7,7 +7,8 @@
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
-allow artd dumpstate:fifo_file { getattr write };
+allow artd dumpstate:fifo_file { getattr write };
+allow artd dumpstate:fd use;
init_daemon_domain(artd)
@@ -39,9 +40,11 @@
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
-# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
allow artd oemfs:dir { getattr search };
r_dir_file(artd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow artd vendor_apex_metadata_file:dir { getattr search };
# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
r_dir_file(artd, vendor_framework_file)
@@ -134,3 +137,8 @@
# This is needed for getting CPU time and wall time spent on subprocesses.
r_dir_file(artd, profman);
r_dir_file(artd, dex2oat);
+
+# Allow artd to reopen its own memfd.
+# artd needs to reopen a memfd with readonly in order to pass it to subprocesses
+# that don't have write permissions on memfds.
+allow artd artd_tmpfs:file open;
diff --git a/private/atrace.te b/private/atrace.te
index 50ab392..1712648 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -77,3 +77,5 @@
allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
')
+
+dontaudit atrace debugfs_tracing_debug:file audit_access;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index fa9dd7d..b8ae9f4 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -1,4 +1,5 @@
-# Rules common to all binder service domains
+# Rules common to some specific binder service domains.
+# Deprecated. Consider granting the exact permissions required by your service.
# Allow dumpstate and incidentd to collect information from binder services
allow binderservicedomain { dumpstate incidentd }:fd use;
@@ -17,8 +18,6 @@
# allow all services to run permission checks
allow binderservicedomain permission_service:service_manager find;
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
diff --git a/private/bootanim.te b/private/bootanim.te
index f4fb0bc..f63a230 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -16,5 +16,8 @@
# Allow updating boot animation status.
set_prop(bootanim, bootanim_system_prop)
-# Allow accessing /data/bootanim
+# Allow accessing /data/misc/bootanim
r_dir_file(bootanim, bootanim_data_file)
+
+# Allow accessing vendor apex for EGL/GLES
+allow bootanim vendor_apex_metadata_file:dir r_dir_perms;
diff --git a/private/bug_map b/private/bug_map
index 0a1d741..3a78a40 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,6 +1,7 @@
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
gmscore_app system_data_file dir b/146166941
+gmscore_app kernel security b/303319090
init app_data_file file b/77873135
init cache_file blk_file b/77873135
init logpersist file b/77873135
@@ -18,8 +19,12 @@
mediaprovider cache_file blk_file b/77925342
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
+mediaprovider_app device_config_media_native_prop file b/308043377
mediaswcodec ashmem_device chr_file b/142679232
+nfc device_config_media_native_prop file b/308043377
+platform_app device_config_media_native_prop file b/308043377
platform_app nfc_data_file dir b/74331887
+platform_app system_data_file dir b/306090533
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server system_server capability b/228030183
@@ -28,4 +33,4 @@
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
+zygote labeledfs filesystem b/170748799
\ No newline at end of file
diff --git a/private/cameraserver.te b/private/cameraserver.te
index 96d7dbd..76ffba6 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -7,3 +7,4 @@
allow cameraserver gpu_device:chr_file rw_file_perms;
allow cameraserver gpu_device:dir r_dir_perms;
+allow cameraserver virtual_camera:binder call;
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 7315687..408cf33 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,13 +1,15 @@
;; types removed from current policy
(type ashmemd)
+(type clatd_exec)
+(type clatd)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_vold_prop)
(type exported2_config_prop)
(type exported2_vold_prop)
(type hal_wifi_offload_hwservice)
-(type install_recovery)
(type install_recovery_exec)
+(type install_recovery)
(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 83d83ff..f95488c 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1,11 +1,16 @@
;; types removed from current policy
+(type adbd_prop)
(type cgroup_bpf)
+(type device_config_configuration_prop)
+(type device_config_storage_native_boot_prop)
+(type device_config_sys_traced_prop)
+(type device_config_window_manager_native_boot_prop)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_ffs_prop)
(type exported_fingerprint_prop)
-(type exported_system_radio_prop)
(type exported_radio_prop)
+(type exported_system_radio_prop)
(type exported_vold_prop)
(type exported_wifi_prop)
(type exported2_config_prop)
@@ -16,8 +21,19 @@
(type exported3_default_prop)
(type exported3_radio_prop)
(type ffs_prop)
+(type gsid_prop)
+(type init_perf_lsm_hooks_prop)
+(type init_svc_debug_prop)
+(type last_boot_reason_prop)
+(type mediatranscoding_exec)
+(type netd_stable_secret_prop)
+(type pm_prop)
+(type system_adbd_prop)
(type system_radio_prop)
(type thermalcallback_hwservice)
+(type traced_perf_enabled_prop)
+(type userspace_reboot_log_prop)
+(type userspace_reboot_test_prop)
(typeattribute binder_in_vendor_violators)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index ee24b76..352aecf 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -18,15 +18,18 @@
credential_service
device_as_webcam
device_config_camera_native_prop
+ device_config_core_experiments_team_internal_prop
device_config_edgetpu_native_prop
device_config_memory_safety_native_boot_prop
device_config_memory_safety_native_prop
device_config_updatable_service
device_config_vendor_system_native_prop
+ device_config_aconfig_flags_prop
devicelock_service
fwk_altitude_service
fwk_camera_service
fwk_sensor_service
+ game_manager_config_prop
grammatical_inflection_service
graphics_config_writable_prop
hal_bluetooth_service
@@ -47,22 +50,25 @@
hypervisor_restricted_prop
isolated_compute_app
keystore_config_prop
- ntfs
ondevicepersonalization_system_service
fuseblk
fuseblkd_untrusted
fuseblkd_untrusted_exec
fuseblkd
fuseblkd_exec
+ ota_build_prop
permissive_mte_prop
persist_sysui_builder_extras_prop
+ persist_sysui_ranking_update_prop
prng_seeder
quick_start_prop
recovery_usb_config_prop
remote_provisioning_service
+ repair_mode_metadata_file
rkpdapp
servicemanager_prop
shutdown_checkpoints_system_data_file
+ snapuserd_log_data_file
stats_config_data_file
sysfs_fs_fuse_features
system_net_netd_service
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
new file mode 100644
index 0000000..aa8a56c
--- /dev/null
+++ b/private/compat/34.0/34.0.cil
@@ -0,0 +1,2709 @@
+;; mapping information from ToT policy's types to 34.0 policy's types.
+(expandtypeattribute (DockObserver_service_34_0) true)
+(expandtypeattribute (IProxyService_service_34_0) true)
+(expandtypeattribute (aac_drc_prop_34_0) true)
+(expandtypeattribute (aaudio_config_prop_34_0) true)
+(expandtypeattribute (ab_update_gki_prop_34_0) true)
+(expandtypeattribute (accessibility_service_34_0) true)
+(expandtypeattribute (account_service_34_0) true)
+(expandtypeattribute (activity_service_34_0) true)
+(expandtypeattribute (activity_task_service_34_0) true)
+(expandtypeattribute (adaptive_haptics_prop_34_0) true)
+(expandtypeattribute (adb_data_file_34_0) true)
+(expandtypeattribute (adb_keys_file_34_0) true)
+(expandtypeattribute (adb_service_34_0) true)
+(expandtypeattribute (adbd_34_0) true)
+(expandtypeattribute (adbd_config_prop_34_0) true)
+(expandtypeattribute (adbd_exec_34_0) true)
+(expandtypeattribute (adbd_socket_34_0) true)
+(expandtypeattribute (adservices_manager_service_34_0) true)
+(expandtypeattribute (aidl_lazy_test_server_34_0) true)
+(expandtypeattribute (aidl_lazy_test_server_exec_34_0) true)
+(expandtypeattribute (aidl_lazy_test_service_34_0) true)
+(expandtypeattribute (alarm_service_34_0) true)
+(expandtypeattribute (anr_data_file_34_0) true)
+(expandtypeattribute (apc_service_34_0) true)
+(expandtypeattribute (apex_data_file_34_0) true)
+(expandtypeattribute (apex_info_file_34_0) true)
+(expandtypeattribute (apex_metadata_file_34_0) true)
+(expandtypeattribute (apex_mnt_dir_34_0) true)
+(expandtypeattribute (apex_module_data_file_34_0) true)
+(expandtypeattribute (apex_ota_reserved_file_34_0) true)
+(expandtypeattribute (apex_ready_prop_34_0) true)
+(expandtypeattribute (apex_rollback_data_file_34_0) true)
+(expandtypeattribute (apex_service_34_0) true)
+(expandtypeattribute (apex_system_server_data_file_34_0) true)
+(expandtypeattribute (apexd_34_0) true)
+(expandtypeattribute (apexd_config_prop_34_0) true)
+(expandtypeattribute (apexd_exec_34_0) true)
+(expandtypeattribute (apexd_prop_34_0) true)
+(expandtypeattribute (apexd_select_prop_34_0) true)
+(expandtypeattribute (apk_data_file_34_0) true)
+(expandtypeattribute (apk_private_data_file_34_0) true)
+(expandtypeattribute (apk_private_tmp_file_34_0) true)
+(expandtypeattribute (apk_tmp_file_34_0) true)
+(expandtypeattribute (apk_verity_prop_34_0) true)
+(expandtypeattribute (app_binding_service_34_0) true)
+(expandtypeattribute (app_data_file_34_0) true)
+(expandtypeattribute (app_fuse_file_34_0) true)
+(expandtypeattribute (app_fusefs_34_0) true)
+(expandtypeattribute (app_hibernation_service_34_0) true)
+(expandtypeattribute (app_integrity_service_34_0) true)
+(expandtypeattribute (app_prediction_service_34_0) true)
+(expandtypeattribute (app_search_service_34_0) true)
+(expandtypeattribute (app_zygote_34_0) true)
+(expandtypeattribute (app_zygote_tmpfs_34_0) true)
+(expandtypeattribute (appcompat_data_file_34_0) true)
+(expandtypeattribute (appdomain_tmpfs_34_0) true)
+(expandtypeattribute (appops_service_34_0) true)
+(expandtypeattribute (appwidget_service_34_0) true)
+(expandtypeattribute (arm64_memtag_prop_34_0) true)
+(expandtypeattribute (art_apex_dir_34_0) true)
+(expandtypeattribute (artd_34_0) true)
+(expandtypeattribute (artd_service_34_0) true)
+(expandtypeattribute (asec_apk_file_34_0) true)
+(expandtypeattribute (asec_image_file_34_0) true)
+(expandtypeattribute (asec_public_file_34_0) true)
+(expandtypeattribute (ashmem_device_34_0) true)
+(expandtypeattribute (ashmem_libcutils_device_34_0) true)
+(expandtypeattribute (assetatlas_service_34_0) true)
+(expandtypeattribute (atrace_34_0) true)
+(expandtypeattribute (attestation_verification_service_34_0) true)
+(expandtypeattribute (audio_config_prop_34_0) true)
+(expandtypeattribute (audio_data_file_34_0) true)
+(expandtypeattribute (audio_device_34_0) true)
+(expandtypeattribute (audio_prop_34_0) true)
+(expandtypeattribute (audio_service_34_0) true)
+(expandtypeattribute (audiohal_data_file_34_0) true)
+(expandtypeattribute (audioserver_34_0) true)
+(expandtypeattribute (audioserver_data_file_34_0) true)
+(expandtypeattribute (audioserver_service_34_0) true)
+(expandtypeattribute (audioserver_tmpfs_34_0) true)
+(expandtypeattribute (auth_service_34_0) true)
+(expandtypeattribute (authorization_service_34_0) true)
+(expandtypeattribute (autofill_service_34_0) true)
+(expandtypeattribute (backup_data_file_34_0) true)
+(expandtypeattribute (backup_service_34_0) true)
+(expandtypeattribute (battery_service_34_0) true)
+(expandtypeattribute (batteryproperties_service_34_0) true)
+(expandtypeattribute (batterystats_service_34_0) true)
+(expandtypeattribute (binder_cache_bluetooth_server_prop_34_0) true)
+(expandtypeattribute (binder_cache_system_server_prop_34_0) true)
+(expandtypeattribute (binder_cache_telephony_server_prop_34_0) true)
+(expandtypeattribute (binder_calls_stats_service_34_0) true)
+(expandtypeattribute (binder_device_34_0) true)
+(expandtypeattribute (binderfs_34_0) true)
+(expandtypeattribute (binderfs_features_34_0) true)
+(expandtypeattribute (binderfs_logs_34_0) true)
+(expandtypeattribute (binderfs_logs_proc_34_0) true)
+(expandtypeattribute (binfmt_miscfs_34_0) true)
+(expandtypeattribute (biometric_service_34_0) true)
+(expandtypeattribute (blkid_34_0) true)
+(expandtypeattribute (blkid_untrusted_34_0) true)
+(expandtypeattribute (blob_store_service_34_0) true)
+(expandtypeattribute (block_device_34_0) true)
+(expandtypeattribute (bluetooth_34_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_34_0) true)
+(expandtypeattribute (bluetooth_audio_hal_prop_34_0) true)
+(expandtypeattribute (bluetooth_config_prop_34_0) true)
+(expandtypeattribute (bluetooth_data_file_34_0) true)
+(expandtypeattribute (bluetooth_efs_file_34_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_34_0) true)
+(expandtypeattribute (bluetooth_manager_service_34_0) true)
+(expandtypeattribute (bluetooth_prop_34_0) true)
+(expandtypeattribute (bluetooth_service_34_0) true)
+(expandtypeattribute (bluetooth_socket_34_0) true)
+(expandtypeattribute (boot_block_device_34_0) true)
+(expandtypeattribute (boot_status_prop_34_0) true)
+(expandtypeattribute (bootanim_34_0) true)
+(expandtypeattribute (bootanim_config_prop_34_0) true)
+(expandtypeattribute (bootanim_exec_34_0) true)
+(expandtypeattribute (bootanim_system_prop_34_0) true)
+(expandtypeattribute (bootchart_data_file_34_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_34_0) true)
+(expandtypeattribute (bootloader_prop_34_0) true)
+(expandtypeattribute (bootstat_34_0) true)
+(expandtypeattribute (bootstat_data_file_34_0) true)
+(expandtypeattribute (bootstat_exec_34_0) true)
+(expandtypeattribute (boottime_prop_34_0) true)
+(expandtypeattribute (boottime_public_prop_34_0) true)
+(expandtypeattribute (boottrace_data_file_34_0) true)
+(expandtypeattribute (bpf_progs_loaded_prop_34_0) true)
+(expandtypeattribute (bpfloader_34_0) true)
+(expandtypeattribute (bq_config_prop_34_0) true)
+(expandtypeattribute (broadcastradio_service_34_0) true)
+(expandtypeattribute (bt_device_34_0) true)
+(expandtypeattribute (bufferhubd_34_0) true)
+(expandtypeattribute (bufferhubd_exec_34_0) true)
+(expandtypeattribute (bugreport_service_34_0) true)
+(expandtypeattribute (build_attestation_prop_34_0) true)
+(expandtypeattribute (build_bootimage_prop_34_0) true)
+(expandtypeattribute (build_config_prop_34_0) true)
+(expandtypeattribute (build_odm_prop_34_0) true)
+(expandtypeattribute (build_prop_34_0) true)
+(expandtypeattribute (build_vendor_prop_34_0) true)
+(expandtypeattribute (cache_backup_file_34_0) true)
+(expandtypeattribute (cache_block_device_34_0) true)
+(expandtypeattribute (cache_file_34_0) true)
+(expandtypeattribute (cache_private_backup_file_34_0) true)
+(expandtypeattribute (cache_recovery_file_34_0) true)
+(expandtypeattribute (cacheinfo_service_34_0) true)
+(expandtypeattribute (camera2_extensions_prop_34_0) true)
+(expandtypeattribute (camera_calibration_prop_34_0) true)
+(expandtypeattribute (camera_config_prop_34_0) true)
+(expandtypeattribute (camera_data_file_34_0) true)
+(expandtypeattribute (camera_device_34_0) true)
+(expandtypeattribute (cameraproxy_service_34_0) true)
+(expandtypeattribute (cameraserver_34_0) true)
+(expandtypeattribute (cameraserver_exec_34_0) true)
+(expandtypeattribute (cameraserver_service_34_0) true)
+(expandtypeattribute (cameraserver_tmpfs_34_0) true)
+(expandtypeattribute (camerax_extensions_prop_34_0) true)
+(expandtypeattribute (cgroup_34_0) true)
+(expandtypeattribute (cgroup_desc_api_file_34_0) true)
+(expandtypeattribute (cgroup_desc_file_34_0) true)
+(expandtypeattribute (cgroup_rc_file_34_0) true)
+(expandtypeattribute (cgroup_v2_34_0) true)
+(expandtypeattribute (charger_34_0) true)
+(expandtypeattribute (charger_config_prop_34_0) true)
+(expandtypeattribute (charger_exec_34_0) true)
+(expandtypeattribute (charger_prop_34_0) true)
+(expandtypeattribute (charger_status_prop_34_0) true)
+(expandtypeattribute (charger_vendor_34_0) true)
+(expandtypeattribute (clipboard_service_34_0) true)
+(expandtypeattribute (cloudsearch_service_34_0) true)
+(expandtypeattribute (codec2_config_prop_34_0) true)
+(expandtypeattribute (cold_boot_done_prop_34_0) true)
+(expandtypeattribute (color_display_service_34_0) true)
+(expandtypeattribute (companion_device_service_34_0) true)
+(expandtypeattribute (composd_vm_art_prop_34_0) true)
+(expandtypeattribute (composd_vm_vendor_prop_34_0) true)
+(expandtypeattribute (config_prop_34_0) true)
+(expandtypeattribute (configfs_34_0) true)
+(expandtypeattribute (connectivity_native_service_34_0) true)
+(expandtypeattribute (connectivity_service_34_0) true)
+(expandtypeattribute (connmetrics_service_34_0) true)
+(expandtypeattribute (console_device_34_0) true)
+(expandtypeattribute (consumer_ir_service_34_0) true)
+(expandtypeattribute (content_capture_service_34_0) true)
+(expandtypeattribute (content_service_34_0) true)
+(expandtypeattribute (content_suggestions_service_34_0) true)
+(expandtypeattribute (contexthub_service_34_0) true)
+(expandtypeattribute (coredump_file_34_0) true)
+(expandtypeattribute (country_detector_service_34_0) true)
+(expandtypeattribute (coverage_service_34_0) true)
+(expandtypeattribute (cppreopt_prop_34_0) true)
+(expandtypeattribute (cpu_monitor_service_34_0) true)
+(expandtypeattribute (cpu_variant_prop_34_0) true)
+(expandtypeattribute (cpuinfo_service_34_0) true)
+(expandtypeattribute (crash_dump_34_0) true)
+(expandtypeattribute (crash_dump_exec_34_0) true)
+(expandtypeattribute (credential_service_34_0) true)
+(expandtypeattribute (credstore_34_0) true)
+(expandtypeattribute (credstore_data_file_34_0) true)
+(expandtypeattribute (credstore_exec_34_0) true)
+(expandtypeattribute (credstore_service_34_0) true)
+(expandtypeattribute (crossprofileapps_service_34_0) true)
+(expandtypeattribute (ctl_adbd_prop_34_0) true)
+(expandtypeattribute (ctl_apexd_prop_34_0) true)
+(expandtypeattribute (ctl_bootanim_prop_34_0) true)
+(expandtypeattribute (ctl_bugreport_prop_34_0) true)
+(expandtypeattribute (ctl_console_prop_34_0) true)
+(expandtypeattribute (ctl_default_prop_34_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_34_0) true)
+(expandtypeattribute (ctl_fuse_prop_34_0) true)
+(expandtypeattribute (ctl_gsid_prop_34_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_34_0) true)
+(expandtypeattribute (ctl_interface_start_prop_34_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_34_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_34_0) true)
+(expandtypeattribute (ctl_restart_prop_34_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_34_0) true)
+(expandtypeattribute (ctl_sigstop_prop_34_0) true)
+(expandtypeattribute (ctl_start_prop_34_0) true)
+(expandtypeattribute (ctl_stop_prop_34_0) true)
+(expandtypeattribute (dalvik_config_prop_34_0) true)
+(expandtypeattribute (dalvik_dynamic_config_prop_34_0) true)
+(expandtypeattribute (dalvik_prop_34_0) true)
+(expandtypeattribute (dalvik_runtime_prop_34_0) true)
+(expandtypeattribute (dalvikcache_data_file_34_0) true)
+(expandtypeattribute (dataloader_manager_service_34_0) true)
+(expandtypeattribute (dbinfo_service_34_0) true)
+(expandtypeattribute (dck_prop_34_0) true)
+(expandtypeattribute (debug_prop_34_0) true)
+(expandtypeattribute (debugfs_34_0) true)
+(expandtypeattribute (debugfs_bootreceiver_tracing_34_0) true)
+(expandtypeattribute (debugfs_kprobes_34_0) true)
+(expandtypeattribute (debugfs_mm_events_tracing_34_0) true)
+(expandtypeattribute (debugfs_mmc_34_0) true)
+(expandtypeattribute (debugfs_restriction_prop_34_0) true)
+(expandtypeattribute (debugfs_trace_marker_34_0) true)
+(expandtypeattribute (debugfs_tracing_34_0) true)
+(expandtypeattribute (debugfs_tracing_debug_34_0) true)
+(expandtypeattribute (debugfs_tracing_instances_34_0) true)
+(expandtypeattribute (debugfs_tracing_printk_formats_34_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_34_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_34_0) true)
+(expandtypeattribute (debuggerd_prop_34_0) true)
+(expandtypeattribute (default_android_hwservice_34_0) true)
+(expandtypeattribute (default_android_service_34_0) true)
+(expandtypeattribute (default_android_vndservice_34_0) true)
+(expandtypeattribute (default_prop_34_0) true)
+(expandtypeattribute (dev_cpu_variant_34_0) true)
+(expandtypeattribute (device_34_0) true)
+(expandtypeattribute (device_config_activity_manager_native_boot_prop_34_0) true)
+(expandtypeattribute (device_config_boot_count_prop_34_0) true)
+(expandtypeattribute (device_config_camera_native_prop_34_0) true)
+(expandtypeattribute (device_config_edgetpu_native_prop_34_0) true)
+(expandtypeattribute (device_config_input_native_boot_prop_34_0) true)
+(expandtypeattribute (device_config_media_native_prop_34_0) true)
+(expandtypeattribute (device_config_memory_safety_native_boot_prop_34_0) true)
+(expandtypeattribute (device_config_memory_safety_native_prop_34_0) true)
+(expandtypeattribute (device_config_netd_native_prop_34_0) true)
+(expandtypeattribute (device_config_nnapi_native_prop_34_0) true)
+(expandtypeattribute (device_config_reset_performed_prop_34_0) true)
+(expandtypeattribute (device_config_runtime_native_boot_prop_34_0) true)
+(expandtypeattribute (device_config_runtime_native_prop_34_0) true)
+(expandtypeattribute (device_config_service_34_0) true)
+(expandtypeattribute (device_config_surface_flinger_native_boot_prop_34_0) true)
+(expandtypeattribute (device_config_updatable_service_34_0) true)
+(expandtypeattribute (device_config_vendor_system_native_boot_prop_34_0) true)
+(expandtypeattribute (device_config_vendor_system_native_prop_34_0) true)
+(expandtypeattribute (device_identifiers_service_34_0) true)
+(expandtypeattribute (device_logging_prop_34_0) true)
+(expandtypeattribute (device_policy_service_34_0) true)
+(expandtypeattribute (device_state_service_34_0) true)
+(expandtypeattribute (deviceidle_service_34_0) true)
+(expandtypeattribute (devicelock_service_34_0) true)
+(expandtypeattribute (devicestoragemonitor_service_34_0) true)
+(expandtypeattribute (devpts_34_0) true)
+(expandtypeattribute (dhcp_34_0) true)
+(expandtypeattribute (dhcp_data_file_34_0) true)
+(expandtypeattribute (dhcp_exec_34_0) true)
+(expandtypeattribute (dhcp_prop_34_0) true)
+(expandtypeattribute (diskstats_service_34_0) true)
+(expandtypeattribute (display_service_34_0) true)
+(expandtypeattribute (dm_device_34_0) true)
+(expandtypeattribute (dm_user_device_34_0) true)
+(expandtypeattribute (dmabuf_heap_device_34_0) true)
+(expandtypeattribute (dmabuf_system_heap_device_34_0) true)
+(expandtypeattribute (dmabuf_system_secure_heap_device_34_0) true)
+(expandtypeattribute (dnsmasq_34_0) true)
+(expandtypeattribute (dnsmasq_exec_34_0) true)
+(expandtypeattribute (dnsproxyd_socket_34_0) true)
+(expandtypeattribute (dnsresolver_service_34_0) true)
+(expandtypeattribute (domain_verification_service_34_0) true)
+(expandtypeattribute (dreams_service_34_0) true)
+(expandtypeattribute (drm_data_file_34_0) true)
+(expandtypeattribute (drm_service_config_prop_34_0) true)
+(expandtypeattribute (drmserver_34_0) true)
+(expandtypeattribute (drmserver_exec_34_0) true)
+(expandtypeattribute (drmserver_service_34_0) true)
+(expandtypeattribute (drmserver_socket_34_0) true)
+(expandtypeattribute (dropbox_data_file_34_0) true)
+(expandtypeattribute (dropbox_service_34_0) true)
+(expandtypeattribute (dumpstate_34_0) true)
+(expandtypeattribute (dumpstate_exec_34_0) true)
+(expandtypeattribute (dumpstate_options_prop_34_0) true)
+(expandtypeattribute (dumpstate_prop_34_0) true)
+(expandtypeattribute (dumpstate_service_34_0) true)
+(expandtypeattribute (dumpstate_socket_34_0) true)
+(expandtypeattribute (dynamic_system_prop_34_0) true)
+(expandtypeattribute (e2fs_34_0) true)
+(expandtypeattribute (e2fs_exec_34_0) true)
+(expandtypeattribute (efs_file_34_0) true)
+(expandtypeattribute (emergency_affordance_service_34_0) true)
+(expandtypeattribute (ephemeral_app_34_0) true)
+(expandtypeattribute (ethernet_service_34_0) true)
+(expandtypeattribute (evsmanagerd_34_0) true)
+(expandtypeattribute (evsmanagerd_service_34_0) true)
+(expandtypeattribute (exfat_34_0) true)
+(expandtypeattribute (exported3_system_prop_34_0) true)
+(expandtypeattribute (exported_bluetooth_prop_34_0) true)
+(expandtypeattribute (exported_camera_prop_34_0) true)
+(expandtypeattribute (exported_config_prop_34_0) true)
+(expandtypeattribute (exported_default_prop_34_0) true)
+(expandtypeattribute (exported_dumpstate_prop_34_0) true)
+(expandtypeattribute (exported_overlay_prop_34_0) true)
+(expandtypeattribute (exported_pm_prop_34_0) true)
+(expandtypeattribute (exported_secure_prop_34_0) true)
+(expandtypeattribute (exported_system_prop_34_0) true)
+(expandtypeattribute (external_vibrator_service_34_0) true)
+(expandtypeattribute (extra_free_kbytes_34_0) true)
+(expandtypeattribute (extra_free_kbytes_exec_34_0) true)
+(expandtypeattribute (face_service_34_0) true)
+(expandtypeattribute (face_vendor_data_file_34_0) true)
+(expandtypeattribute (fastbootd_34_0) true)
+(expandtypeattribute (ffs_config_prop_34_0) true)
+(expandtypeattribute (ffs_control_prop_34_0) true)
+(expandtypeattribute (file_contexts_file_34_0) true)
+(expandtypeattribute (file_integrity_service_34_0) true)
+(expandtypeattribute (fingerprint_prop_34_0) true)
+(expandtypeattribute (fingerprint_service_34_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_34_0) true)
+(expandtypeattribute (fingerprintd_34_0) true)
+(expandtypeattribute (fingerprintd_data_file_34_0) true)
+(expandtypeattribute (fingerprintd_exec_34_0) true)
+(expandtypeattribute (fingerprintd_service_34_0) true)
+(expandtypeattribute (firstboot_prop_34_0) true)
+(expandtypeattribute (flags_health_check_34_0) true)
+(expandtypeattribute (flags_health_check_exec_34_0) true)
+(expandtypeattribute (font_service_34_0) true)
+(expandtypeattribute (framework_status_prop_34_0) true)
+(expandtypeattribute (framework_watchdog_config_prop_34_0) true)
+(expandtypeattribute (frp_block_device_34_0) true)
+(expandtypeattribute (fs_bpf_34_0) true)
+(expandtypeattribute (fs_bpf_tethering_34_0) true)
+(expandtypeattribute (fs_bpf_vendor_34_0) true)
+(expandtypeattribute (fsck_34_0) true)
+(expandtypeattribute (fsck_exec_34_0) true)
+(expandtypeattribute (fsck_untrusted_34_0) true)
+(expandtypeattribute (fscklogs_34_0) true)
+(expandtypeattribute (functionfs_34_0) true)
+(expandtypeattribute (fuse_34_0) true)
+(expandtypeattribute (fuse_device_34_0) true)
+(expandtypeattribute (fuseblk_34_0) true)
+(expandtypeattribute (fusectlfs_34_0) true)
+(expandtypeattribute (future_pm_prop_34_0) true)
+(expandtypeattribute (fwk_altitude_service_34_0) true)
+(expandtypeattribute (fwk_automotive_display_hwservice_34_0) true)
+(expandtypeattribute (fwk_automotive_display_service_34_0) true)
+(expandtypeattribute (fwk_bufferhub_hwservice_34_0) true)
+(expandtypeattribute (fwk_camera_hwservice_34_0) true)
+(expandtypeattribute (fwk_camera_service_34_0) true)
+(expandtypeattribute (fwk_display_hwservice_34_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_34_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_34_0) true)
+(expandtypeattribute (fwk_sensor_service_34_0) true)
+(expandtypeattribute (fwk_stats_hwservice_34_0) true)
+(expandtypeattribute (fwk_stats_service_34_0) true)
+(expandtypeattribute (fwmarkd_socket_34_0) true)
+(expandtypeattribute (game_mode_intervention_list_file_34_0) true)
+(expandtypeattribute (game_service_34_0) true)
+(expandtypeattribute (gatekeeper_data_file_34_0) true)
+(expandtypeattribute (gatekeeper_service_34_0) true)
+(expandtypeattribute (gatekeeperd_34_0) true)
+(expandtypeattribute (gatekeeperd_exec_34_0) true)
+(expandtypeattribute (gesture_prop_34_0) true)
+(expandtypeattribute (gfxinfo_service_34_0) true)
+(expandtypeattribute (gmscore_app_34_0) true)
+(expandtypeattribute (gnss_device_34_0) true)
+(expandtypeattribute (gnss_time_update_service_34_0) true)
+(expandtypeattribute (gps_control_34_0) true)
+(expandtypeattribute (gpu_device_34_0) true)
+(expandtypeattribute (gpu_service_34_0) true)
+(expandtypeattribute (gpuservice_34_0) true)
+(expandtypeattribute (grammatical_inflection_service_34_0) true)
+(expandtypeattribute (graphics_config_prop_34_0) true)
+(expandtypeattribute (graphics_config_writable_prop_34_0) true)
+(expandtypeattribute (graphics_device_34_0) true)
+(expandtypeattribute (graphicsstats_service_34_0) true)
+(expandtypeattribute (gsi_data_file_34_0) true)
+(expandtypeattribute (gsi_metadata_file_34_0) true)
+(expandtypeattribute (gsi_public_metadata_file_34_0) true)
+(expandtypeattribute (gwp_asan_prop_34_0) true)
+(expandtypeattribute (hal_atrace_hwservice_34_0) true)
+(expandtypeattribute (hal_audio_hwservice_34_0) true)
+(expandtypeattribute (hal_audio_service_34_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_34_0) true)
+(expandtypeattribute (hal_audiocontrol_service_34_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_34_0) true)
+(expandtypeattribute (hal_authsecret_service_34_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_34_0) true)
+(expandtypeattribute (hal_bluetooth_service_34_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_34_0) true)
+(expandtypeattribute (hal_bootctl_service_34_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_34_0) true)
+(expandtypeattribute (hal_broadcastradio_service_34_0) true)
+(expandtypeattribute (hal_camera_hwservice_34_0) true)
+(expandtypeattribute (hal_camera_service_34_0) true)
+(expandtypeattribute (hal_can_bus_hwservice_34_0) true)
+(expandtypeattribute (hal_can_controller_hwservice_34_0) true)
+(expandtypeattribute (hal_can_controller_service_34_0) true)
+(expandtypeattribute (hal_cas_hwservice_34_0) true)
+(expandtypeattribute (hal_cas_service_34_0) true)
+(expandtypeattribute (hal_codec2_hwservice_34_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_34_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_34_0) true)
+(expandtypeattribute (hal_confirmationui_service_34_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_34_0) true)
+(expandtypeattribute (hal_contexthub_service_34_0) true)
+(expandtypeattribute (hal_drm_hwservice_34_0) true)
+(expandtypeattribute (hal_drm_service_34_0) true)
+(expandtypeattribute (hal_dumpstate_config_prop_34_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_34_0) true)
+(expandtypeattribute (hal_dumpstate_service_34_0) true)
+(expandtypeattribute (hal_evs_hwservice_34_0) true)
+(expandtypeattribute (hal_evs_service_34_0) true)
+(expandtypeattribute (hal_face_hwservice_34_0) true)
+(expandtypeattribute (hal_face_service_34_0) true)
+(expandtypeattribute (hal_fastboot_service_34_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_34_0) true)
+(expandtypeattribute (hal_fingerprint_service_34_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_34_0) true)
+(expandtypeattribute (hal_gatekeeper_service_34_0) true)
+(expandtypeattribute (hal_gnss_hwservice_34_0) true)
+(expandtypeattribute (hal_gnss_service_34_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_34_0) true)
+(expandtypeattribute (hal_graphics_allocator_service_34_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_34_0) true)
+(expandtypeattribute (hal_graphics_composer_server_tmpfs_34_0) true)
+(expandtypeattribute (hal_graphics_composer_service_34_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_34_0) true)
+(expandtypeattribute (hal_health_hwservice_34_0) true)
+(expandtypeattribute (hal_health_service_34_0) true)
+(expandtypeattribute (hal_health_storage_hwservice_34_0) true)
+(expandtypeattribute (hal_health_storage_service_34_0) true)
+(expandtypeattribute (hal_identity_service_34_0) true)
+(expandtypeattribute (hal_input_classifier_hwservice_34_0) true)
+(expandtypeattribute (hal_input_processor_service_34_0) true)
+(expandtypeattribute (hal_instrumentation_prop_34_0) true)
+(expandtypeattribute (hal_ir_hwservice_34_0) true)
+(expandtypeattribute (hal_ir_service_34_0) true)
+(expandtypeattribute (hal_ivn_service_34_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_34_0) true)
+(expandtypeattribute (hal_keymint_service_34_0) true)
+(expandtypeattribute (hal_light_hwservice_34_0) true)
+(expandtypeattribute (hal_light_service_34_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_34_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_34_0) true)
+(expandtypeattribute (hal_memtrack_service_34_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_34_0) true)
+(expandtypeattribute (hal_neuralnetworks_service_34_0) true)
+(expandtypeattribute (hal_nfc_hwservice_34_0) true)
+(expandtypeattribute (hal_nfc_service_34_0) true)
+(expandtypeattribute (hal_nlinterceptor_service_34_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_34_0) true)
+(expandtypeattribute (hal_oemlock_service_34_0) true)
+(expandtypeattribute (hal_omx_hwservice_34_0) true)
+(expandtypeattribute (hal_power_hwservice_34_0) true)
+(expandtypeattribute (hal_power_service_34_0) true)
+(expandtypeattribute (hal_power_stats_hwservice_34_0) true)
+(expandtypeattribute (hal_power_stats_service_34_0) true)
+(expandtypeattribute (hal_radio_service_34_0) true)
+(expandtypeattribute (hal_rebootescrow_service_34_0) true)
+(expandtypeattribute (hal_remoteaccess_service_34_0) true)
+(expandtypeattribute (hal_remotelyprovisionedcomponent_service_34_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_34_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_34_0) true)
+(expandtypeattribute (hal_secure_element_service_34_0) true)
+(expandtypeattribute (hal_secureclock_service_34_0) true)
+(expandtypeattribute (hal_sensors_hwservice_34_0) true)
+(expandtypeattribute (hal_sensors_service_34_0) true)
+(expandtypeattribute (hal_sharedsecret_service_34_0) true)
+(expandtypeattribute (hal_system_suspend_service_34_0) true)
+(expandtypeattribute (hal_telephony_hwservice_34_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_34_0) true)
+(expandtypeattribute (hal_tetheroffload_service_34_0) true)
+(expandtypeattribute (hal_thermal_hwservice_34_0) true)
+(expandtypeattribute (hal_thermal_service_34_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_34_0) true)
+(expandtypeattribute (hal_tv_hdmi_cec_service_34_0) true)
+(expandtypeattribute (hal_tv_hdmi_connection_service_34_0) true)
+(expandtypeattribute (hal_tv_hdmi_earc_service_34_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_34_0) true)
+(expandtypeattribute (hal_tv_input_service_34_0) true)
+(expandtypeattribute (hal_tv_tuner_hwservice_34_0) true)
+(expandtypeattribute (hal_tv_tuner_service_34_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_34_0) true)
+(expandtypeattribute (hal_usb_gadget_service_34_0) true)
+(expandtypeattribute (hal_usb_hwservice_34_0) true)
+(expandtypeattribute (hal_usb_service_34_0) true)
+(expandtypeattribute (hal_uwb_service_34_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_34_0) true)
+(expandtypeattribute (hal_vehicle_service_34_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_34_0) true)
+(expandtypeattribute (hal_vibrator_service_34_0) true)
+(expandtypeattribute (hal_vr_hwservice_34_0) true)
+(expandtypeattribute (hal_weaver_hwservice_34_0) true)
+(expandtypeattribute (hal_weaver_service_34_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_34_0) true)
+(expandtypeattribute (hal_wifi_hostapd_service_34_0) true)
+(expandtypeattribute (hal_wifi_hwservice_34_0) true)
+(expandtypeattribute (hal_wifi_service_34_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_34_0) true)
+(expandtypeattribute (hal_wifi_supplicant_service_34_0) true)
+(expandtypeattribute (hardware_properties_service_34_0) true)
+(expandtypeattribute (hardware_service_34_0) true)
+(expandtypeattribute (hci_attach_dev_34_0) true)
+(expandtypeattribute (hdmi_config_prop_34_0) true)
+(expandtypeattribute (hdmi_control_service_34_0) true)
+(expandtypeattribute (healthconnect_service_34_0) true)
+(expandtypeattribute (healthd_34_0) true)
+(expandtypeattribute (heapdump_data_file_34_0) true)
+(expandtypeattribute (heapprofd_34_0) true)
+(expandtypeattribute (heapprofd_enabled_prop_34_0) true)
+(expandtypeattribute (heapprofd_prop_34_0) true)
+(expandtypeattribute (heapprofd_socket_34_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_34_0) true)
+(expandtypeattribute (hidl_base_hwservice_34_0) true)
+(expandtypeattribute (hidl_manager_hwservice_34_0) true)
+(expandtypeattribute (hidl_memory_hwservice_34_0) true)
+(expandtypeattribute (hidl_token_hwservice_34_0) true)
+(expandtypeattribute (hint_service_34_0) true)
+(expandtypeattribute (hw_random_device_34_0) true)
+(expandtypeattribute (hw_timeout_multiplier_prop_34_0) true)
+(expandtypeattribute (hwbinder_device_34_0) true)
+(expandtypeattribute (hwservice_contexts_file_34_0) true)
+(expandtypeattribute (hwservicemanager_34_0) true)
+(expandtypeattribute (hwservicemanager_exec_34_0) true)
+(expandtypeattribute (hwservicemanager_prop_34_0) true)
+(expandtypeattribute (hypervisor_prop_34_0) true)
+(expandtypeattribute (hypervisor_restricted_prop_34_0) true)
+(expandtypeattribute (icon_file_34_0) true)
+(expandtypeattribute (idmap_34_0) true)
+(expandtypeattribute (idmap_exec_34_0) true)
+(expandtypeattribute (idmap_service_34_0) true)
+(expandtypeattribute (iio_device_34_0) true)
+(expandtypeattribute (imms_service_34_0) true)
+(expandtypeattribute (incident_34_0) true)
+(expandtypeattribute (incident_data_file_34_0) true)
+(expandtypeattribute (incident_helper_34_0) true)
+(expandtypeattribute (incident_service_34_0) true)
+(expandtypeattribute (incidentd_34_0) true)
+(expandtypeattribute (incremental_control_file_34_0) true)
+(expandtypeattribute (incremental_prop_34_0) true)
+(expandtypeattribute (incremental_service_34_0) true)
+(expandtypeattribute (init_34_0) true)
+(expandtypeattribute (init_exec_34_0) true)
+(expandtypeattribute (init_service_status_prop_34_0) true)
+(expandtypeattribute (init_tmpfs_34_0) true)
+(expandtypeattribute (inotify_34_0) true)
+(expandtypeattribute (input_device_34_0) true)
+(expandtypeattribute (input_method_service_34_0) true)
+(expandtypeattribute (input_service_34_0) true)
+(expandtypeattribute (inputflinger_34_0) true)
+(expandtypeattribute (inputflinger_exec_34_0) true)
+(expandtypeattribute (inputflinger_service_34_0) true)
+(expandtypeattribute (install_data_file_34_0) true)
+(expandtypeattribute (installd_34_0) true)
+(expandtypeattribute (installd_exec_34_0) true)
+(expandtypeattribute (installd_service_34_0) true)
+(expandtypeattribute (ion_device_34_0) true)
+(expandtypeattribute (ipsec_service_34_0) true)
+(expandtypeattribute (iris_service_34_0) true)
+(expandtypeattribute (iris_vendor_data_file_34_0) true)
+(expandtypeattribute (isolated_app_34_0) true)
+(expandtypeattribute (isolated_compute_app_34_0) true)
+(expandtypeattribute (jobscheduler_service_34_0) true)
+(expandtypeattribute (kernel_34_0) true)
+(expandtypeattribute (keychain_data_file_34_0) true)
+(expandtypeattribute (keychord_device_34_0) true)
+(expandtypeattribute (keyguard_config_prop_34_0) true)
+(expandtypeattribute (keystore2_key_contexts_file_34_0) true)
+(expandtypeattribute (keystore_34_0) true)
+(expandtypeattribute (keystore_compat_hal_service_34_0) true)
+(expandtypeattribute (keystore_config_prop_34_0) true)
+(expandtypeattribute (keystore_data_file_34_0) true)
+(expandtypeattribute (keystore_exec_34_0) true)
+(expandtypeattribute (keystore_maintenance_service_34_0) true)
+(expandtypeattribute (keystore_metrics_service_34_0) true)
+(expandtypeattribute (keystore_service_34_0) true)
+(expandtypeattribute (kmsg_debug_device_34_0) true)
+(expandtypeattribute (kmsg_device_34_0) true)
+(expandtypeattribute (labeledfs_34_0) true)
+(expandtypeattribute (launcherapps_service_34_0) true)
+(expandtypeattribute (legacy_permission_service_34_0) true)
+(expandtypeattribute (legacykeystore_service_34_0) true)
+(expandtypeattribute (libc_debug_prop_34_0) true)
+(expandtypeattribute (light_service_34_0) true)
+(expandtypeattribute (linkerconfig_file_34_0) true)
+(expandtypeattribute (llkd_34_0) true)
+(expandtypeattribute (llkd_exec_34_0) true)
+(expandtypeattribute (llkd_prop_34_0) true)
+(expandtypeattribute (lmkd_34_0) true)
+(expandtypeattribute (lmkd_config_prop_34_0) true)
+(expandtypeattribute (lmkd_exec_34_0) true)
+(expandtypeattribute (lmkd_prop_34_0) true)
+(expandtypeattribute (lmkd_socket_34_0) true)
+(expandtypeattribute (locale_prop_34_0) true)
+(expandtypeattribute (locale_service_34_0) true)
+(expandtypeattribute (location_service_34_0) true)
+(expandtypeattribute (location_time_zone_manager_service_34_0) true)
+(expandtypeattribute (lock_settings_service_34_0) true)
+(expandtypeattribute (log_prop_34_0) true)
+(expandtypeattribute (log_tag_prop_34_0) true)
+(expandtypeattribute (logcat_exec_34_0) true)
+(expandtypeattribute (logd_34_0) true)
+(expandtypeattribute (logd_exec_34_0) true)
+(expandtypeattribute (logd_prop_34_0) true)
+(expandtypeattribute (logd_socket_34_0) true)
+(expandtypeattribute (logdr_socket_34_0) true)
+(expandtypeattribute (logdw_socket_34_0) true)
+(expandtypeattribute (logpersist_34_0) true)
+(expandtypeattribute (logpersistd_logging_prop_34_0) true)
+(expandtypeattribute (loop_control_device_34_0) true)
+(expandtypeattribute (loop_device_34_0) true)
+(expandtypeattribute (looper_stats_service_34_0) true)
+(expandtypeattribute (lowpan_device_34_0) true)
+(expandtypeattribute (lowpan_prop_34_0) true)
+(expandtypeattribute (lpdump_service_34_0) true)
+(expandtypeattribute (lpdumpd_prop_34_0) true)
+(expandtypeattribute (mac_perms_file_34_0) true)
+(expandtypeattribute (mdns_service_34_0) true)
+(expandtypeattribute (mdns_socket_34_0) true)
+(expandtypeattribute (mdnsd_34_0) true)
+(expandtypeattribute (mdnsd_socket_34_0) true)
+(expandtypeattribute (media_communication_service_34_0) true)
+(expandtypeattribute (media_config_prop_34_0) true)
+(expandtypeattribute (media_data_file_34_0) true)
+(expandtypeattribute (media_metrics_service_34_0) true)
+(expandtypeattribute (media_projection_service_34_0) true)
+(expandtypeattribute (media_router_service_34_0) true)
+(expandtypeattribute (media_rw_data_file_34_0) true)
+(expandtypeattribute (media_session_service_34_0) true)
+(expandtypeattribute (media_userdir_file_34_0) true)
+(expandtypeattribute (media_variant_prop_34_0) true)
+(expandtypeattribute (mediadrm_config_prop_34_0) true)
+(expandtypeattribute (mediadrmserver_34_0) true)
+(expandtypeattribute (mediadrmserver_exec_34_0) true)
+(expandtypeattribute (mediadrmserver_service_34_0) true)
+(expandtypeattribute (mediaextractor_34_0) true)
+(expandtypeattribute (mediaextractor_exec_34_0) true)
+(expandtypeattribute (mediaextractor_service_34_0) true)
+(expandtypeattribute (mediaextractor_tmpfs_34_0) true)
+(expandtypeattribute (mediametrics_34_0) true)
+(expandtypeattribute (mediametrics_exec_34_0) true)
+(expandtypeattribute (mediametrics_service_34_0) true)
+(expandtypeattribute (mediaprovider_34_0) true)
+(expandtypeattribute (mediaserver_34_0) true)
+(expandtypeattribute (mediaserver_exec_34_0) true)
+(expandtypeattribute (mediaserver_service_34_0) true)
+(expandtypeattribute (mediaserver_tmpfs_34_0) true)
+(expandtypeattribute (mediaswcodec_34_0) true)
+(expandtypeattribute (mediaswcodec_exec_34_0) true)
+(expandtypeattribute (mediatranscoding_34_0) true)
+(expandtypeattribute (mediatranscoding_service_34_0) true)
+(expandtypeattribute (meminfo_service_34_0) true)
+(expandtypeattribute (memtrackproxy_service_34_0) true)
+(expandtypeattribute (metadata_block_device_34_0) true)
+(expandtypeattribute (metadata_bootstat_file_34_0) true)
+(expandtypeattribute (metadata_file_34_0) true)
+(expandtypeattribute (method_trace_data_file_34_0) true)
+(expandtypeattribute (midi_service_34_0) true)
+(expandtypeattribute (mirror_data_file_34_0) true)
+(expandtypeattribute (misc_block_device_34_0) true)
+(expandtypeattribute (misc_logd_file_34_0) true)
+(expandtypeattribute (misc_user_data_file_34_0) true)
+(expandtypeattribute (mm_events_config_prop_34_0) true)
+(expandtypeattribute (mmc_prop_34_0) true)
+(expandtypeattribute (mnt_expand_file_34_0) true)
+(expandtypeattribute (mnt_media_rw_file_34_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_34_0) true)
+(expandtypeattribute (mnt_pass_through_file_34_0) true)
+(expandtypeattribute (mnt_product_file_34_0) true)
+(expandtypeattribute (mnt_sdcard_file_34_0) true)
+(expandtypeattribute (mnt_user_file_34_0) true)
+(expandtypeattribute (mnt_vendor_file_34_0) true)
+(expandtypeattribute (mock_ota_prop_34_0) true)
+(expandtypeattribute (modprobe_34_0) true)
+(expandtypeattribute (module_sdkextensions_prop_34_0) true)
+(expandtypeattribute (mount_service_34_0) true)
+(expandtypeattribute (mqueue_34_0) true)
+(expandtypeattribute (mtp_34_0) true)
+(expandtypeattribute (mtp_device_34_0) true)
+(expandtypeattribute (mtp_exec_34_0) true)
+(expandtypeattribute (mtpd_socket_34_0) true)
+(expandtypeattribute (music_recognition_service_34_0) true)
+(expandtypeattribute (nativetest_data_file_34_0) true)
+(expandtypeattribute (nearby_service_34_0) true)
+(expandtypeattribute (net_data_file_34_0) true)
+(expandtypeattribute (net_dns_prop_34_0) true)
+(expandtypeattribute (net_radio_prop_34_0) true)
+(expandtypeattribute (netd_34_0) true)
+(expandtypeattribute (netd_exec_34_0) true)
+(expandtypeattribute (netd_listener_service_34_0) true)
+(expandtypeattribute (netd_service_34_0) true)
+(expandtypeattribute (netif_34_0) true)
+(expandtypeattribute (netpolicy_service_34_0) true)
+(expandtypeattribute (netstats_service_34_0) true)
+(expandtypeattribute (netutils_wrapper_34_0) true)
+(expandtypeattribute (netutils_wrapper_exec_34_0) true)
+(expandtypeattribute (network_management_service_34_0) true)
+(expandtypeattribute (network_score_service_34_0) true)
+(expandtypeattribute (network_stack_34_0) true)
+(expandtypeattribute (network_stack_service_34_0) true)
+(expandtypeattribute (network_time_update_service_34_0) true)
+(expandtypeattribute (network_watchlist_data_file_34_0) true)
+(expandtypeattribute (network_watchlist_service_34_0) true)
+(expandtypeattribute (nfc_34_0) true)
+(expandtypeattribute (nfc_data_file_34_0) true)
+(expandtypeattribute (nfc_device_34_0) true)
+(expandtypeattribute (nfc_logs_data_file_34_0) true)
+(expandtypeattribute (nfc_prop_34_0) true)
+(expandtypeattribute (nfc_service_34_0) true)
+(expandtypeattribute (nnapi_ext_deny_product_prop_34_0) true)
+(expandtypeattribute (node_34_0) true)
+(expandtypeattribute (notification_service_34_0) true)
+(expandtypeattribute (null_device_34_0) true)
+(expandtypeattribute (oem_lock_service_34_0) true)
+(expandtypeattribute (oem_unlock_prop_34_0) true)
+(expandtypeattribute (oemfs_34_0) true)
+(expandtypeattribute (ondevicepersonalization_system_service_34_0) true)
+(expandtypeattribute (ota_data_file_34_0) true)
+(expandtypeattribute (ota_metadata_file_34_0) true)
+(expandtypeattribute (ota_package_file_34_0) true)
+(expandtypeattribute (ota_prop_34_0) true)
+(expandtypeattribute (otadexopt_service_34_0) true)
+(expandtypeattribute (otapreopt_chroot_34_0) true)
+(expandtypeattribute (overlay_prop_34_0) true)
+(expandtypeattribute (overlay_service_34_0) true)
+(expandtypeattribute (overlayfs_file_34_0) true)
+(expandtypeattribute (owntty_device_34_0) true)
+(expandtypeattribute (pac_proxy_service_34_0) true)
+(expandtypeattribute (package_native_service_34_0) true)
+(expandtypeattribute (package_service_34_0) true)
+(expandtypeattribute (packagemanager_config_prop_34_0) true)
+(expandtypeattribute (packages_list_file_34_0) true)
+(expandtypeattribute (pan_result_prop_34_0) true)
+(expandtypeattribute (password_slot_metadata_file_34_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_34_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_34_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_34_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_34_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_34_0) true)
+(expandtypeattribute (pdx_display_dir_34_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_34_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_34_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_34_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_34_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_34_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_34_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_34_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_34_0) true)
+(expandtypeattribute (pdx_performance_dir_34_0) true)
+(expandtypeattribute (people_service_34_0) true)
+(expandtypeattribute (perfetto_34_0) true)
+(expandtypeattribute (performanced_34_0) true)
+(expandtypeattribute (performanced_exec_34_0) true)
+(expandtypeattribute (permission_checker_service_34_0) true)
+(expandtypeattribute (permission_service_34_0) true)
+(expandtypeattribute (permissionmgr_service_34_0) true)
+(expandtypeattribute (permissive_mte_prop_34_0) true)
+(expandtypeattribute (persist_debug_prop_34_0) true)
+(expandtypeattribute (persist_vendor_debug_wifi_prop_34_0) true)
+(expandtypeattribute (persist_wm_debug_prop_34_0) true)
+(expandtypeattribute (persistent_data_block_service_34_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_34_0) true)
+(expandtypeattribute (pinner_service_34_0) true)
+(expandtypeattribute (pipefs_34_0) true)
+(expandtypeattribute (platform_app_34_0) true)
+(expandtypeattribute (platform_compat_service_34_0) true)
+(expandtypeattribute (pmsg_device_34_0) true)
+(expandtypeattribute (port_34_0) true)
+(expandtypeattribute (port_device_34_0) true)
+(expandtypeattribute (postinstall_34_0) true)
+(expandtypeattribute (postinstall_apex_mnt_dir_34_0) true)
+(expandtypeattribute (postinstall_file_34_0) true)
+(expandtypeattribute (postinstall_mnt_dir_34_0) true)
+(expandtypeattribute (power_debug_prop_34_0) true)
+(expandtypeattribute (power_service_34_0) true)
+(expandtypeattribute (powerctl_prop_34_0) true)
+(expandtypeattribute (powerstats_service_34_0) true)
+(expandtypeattribute (ppp_34_0) true)
+(expandtypeattribute (ppp_device_34_0) true)
+(expandtypeattribute (ppp_exec_34_0) true)
+(expandtypeattribute (preloads_data_file_34_0) true)
+(expandtypeattribute (preloads_media_file_34_0) true)
+(expandtypeattribute (prereboot_data_file_34_0) true)
+(expandtypeattribute (print_service_34_0) true)
+(expandtypeattribute (priv_app_34_0) true)
+(expandtypeattribute (privapp_data_file_34_0) true)
+(expandtypeattribute (prng_seeder_34_0) true)
+(expandtypeattribute (proc_34_0) true)
+(expandtypeattribute (proc_abi_34_0) true)
+(expandtypeattribute (proc_asound_34_0) true)
+(expandtypeattribute (proc_bluetooth_writable_34_0) true)
+(expandtypeattribute (proc_bootconfig_34_0) true)
+(expandtypeattribute (proc_bpf_34_0) true)
+(expandtypeattribute (proc_buddyinfo_34_0) true)
+(expandtypeattribute (proc_cmdline_34_0) true)
+(expandtypeattribute (proc_cpu_alignment_34_0) true)
+(expandtypeattribute (proc_cpuinfo_34_0) true)
+(expandtypeattribute (proc_dirty_34_0) true)
+(expandtypeattribute (proc_diskstats_34_0) true)
+(expandtypeattribute (proc_drop_caches_34_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_34_0) true)
+(expandtypeattribute (proc_filesystems_34_0) true)
+(expandtypeattribute (proc_fs_verity_34_0) true)
+(expandtypeattribute (proc_hostname_34_0) true)
+(expandtypeattribute (proc_hung_task_34_0) true)
+(expandtypeattribute (proc_interrupts_34_0) true)
+(expandtypeattribute (proc_iomem_34_0) true)
+(expandtypeattribute (proc_kallsyms_34_0) true)
+(expandtypeattribute (proc_keys_34_0) true)
+(expandtypeattribute (proc_kmsg_34_0) true)
+(expandtypeattribute (proc_kpageflags_34_0) true)
+(expandtypeattribute (proc_loadavg_34_0) true)
+(expandtypeattribute (proc_locks_34_0) true)
+(expandtypeattribute (proc_lowmemorykiller_34_0) true)
+(expandtypeattribute (proc_max_map_count_34_0) true)
+(expandtypeattribute (proc_meminfo_34_0) true)
+(expandtypeattribute (proc_min_free_order_shift_34_0) true)
+(expandtypeattribute (proc_misc_34_0) true)
+(expandtypeattribute (proc_modules_34_0) true)
+(expandtypeattribute (proc_mounts_34_0) true)
+(expandtypeattribute (proc_net_34_0) true)
+(expandtypeattribute (proc_net_tcp_udp_34_0) true)
+(expandtypeattribute (proc_overcommit_memory_34_0) true)
+(expandtypeattribute (proc_page_cluster_34_0) true)
+(expandtypeattribute (proc_pagetypeinfo_34_0) true)
+(expandtypeattribute (proc_panic_34_0) true)
+(expandtypeattribute (proc_perf_34_0) true)
+(expandtypeattribute (proc_pid_max_34_0) true)
+(expandtypeattribute (proc_pipe_conf_34_0) true)
+(expandtypeattribute (proc_pressure_cpu_34_0) true)
+(expandtypeattribute (proc_pressure_io_34_0) true)
+(expandtypeattribute (proc_pressure_mem_34_0) true)
+(expandtypeattribute (proc_qtaguid_ctrl_34_0) true)
+(expandtypeattribute (proc_qtaguid_stat_34_0) true)
+(expandtypeattribute (proc_random_34_0) true)
+(expandtypeattribute (proc_sched_34_0) true)
+(expandtypeattribute (proc_security_34_0) true)
+(expandtypeattribute (proc_slabinfo_34_0) true)
+(expandtypeattribute (proc_stat_34_0) true)
+(expandtypeattribute (proc_swaps_34_0) true)
+(expandtypeattribute (proc_sysrq_34_0) true)
+(expandtypeattribute (proc_timer_34_0) true)
+(expandtypeattribute (proc_tty_drivers_34_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_34_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_34_0) true)
+(expandtypeattribute (proc_uid_cpupower_34_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_34_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_34_0) true)
+(expandtypeattribute (proc_uid_io_stats_34_0) true)
+(expandtypeattribute (proc_uid_procstat_set_34_0) true)
+(expandtypeattribute (proc_uid_time_in_state_34_0) true)
+(expandtypeattribute (proc_uptime_34_0) true)
+(expandtypeattribute (proc_vendor_sched_34_0) true)
+(expandtypeattribute (proc_version_34_0) true)
+(expandtypeattribute (proc_vmallocinfo_34_0) true)
+(expandtypeattribute (proc_vmstat_34_0) true)
+(expandtypeattribute (proc_watermark_boost_factor_34_0) true)
+(expandtypeattribute (proc_watermark_scale_factor_34_0) true)
+(expandtypeattribute (proc_zoneinfo_34_0) true)
+(expandtypeattribute (processinfo_service_34_0) true)
+(expandtypeattribute (procstats_service_34_0) true)
+(expandtypeattribute (profman_34_0) true)
+(expandtypeattribute (profman_dump_data_file_34_0) true)
+(expandtypeattribute (profman_exec_34_0) true)
+(expandtypeattribute (properties_device_34_0) true)
+(expandtypeattribute (properties_serial_34_0) true)
+(expandtypeattribute (property_contexts_file_34_0) true)
+(expandtypeattribute (property_data_file_34_0) true)
+(expandtypeattribute (property_info_34_0) true)
+(expandtypeattribute (property_service_version_prop_34_0) true)
+(expandtypeattribute (property_socket_34_0) true)
+(expandtypeattribute (provisioned_prop_34_0) true)
+(expandtypeattribute (pstorefs_34_0) true)
+(expandtypeattribute (ptmx_device_34_0) true)
+(expandtypeattribute (qemu_hw_prop_34_0) true)
+(expandtypeattribute (qemu_sf_lcd_density_prop_34_0) true)
+(expandtypeattribute (qtaguid_device_34_0) true)
+(expandtypeattribute (quick_start_prop_34_0) true)
+(expandtypeattribute (racoon_34_0) true)
+(expandtypeattribute (racoon_exec_34_0) true)
+(expandtypeattribute (racoon_socket_34_0) true)
+(expandtypeattribute (radio_34_0) true)
+(expandtypeattribute (radio_control_prop_34_0) true)
+(expandtypeattribute (radio_core_data_file_34_0) true)
+(expandtypeattribute (radio_data_file_34_0) true)
+(expandtypeattribute (radio_device_34_0) true)
+(expandtypeattribute (radio_prop_34_0) true)
+(expandtypeattribute (radio_service_34_0) true)
+(expandtypeattribute (ram_device_34_0) true)
+(expandtypeattribute (random_device_34_0) true)
+(expandtypeattribute (reboot_readiness_service_34_0) true)
+(expandtypeattribute (rebootescrow_hal_prop_34_0) true)
+(expandtypeattribute (recovery_34_0) true)
+(expandtypeattribute (recovery_block_device_34_0) true)
+(expandtypeattribute (recovery_config_prop_34_0) true)
+(expandtypeattribute (recovery_data_file_34_0) true)
+(expandtypeattribute (recovery_persist_34_0) true)
+(expandtypeattribute (recovery_persist_exec_34_0) true)
+(expandtypeattribute (recovery_refresh_34_0) true)
+(expandtypeattribute (recovery_refresh_exec_34_0) true)
+(expandtypeattribute (recovery_service_34_0) true)
+(expandtypeattribute (recovery_socket_34_0) true)
+(expandtypeattribute (recovery_usb_config_prop_34_0) true)
+(expandtypeattribute (registry_service_34_0) true)
+(expandtypeattribute (remote_provisioning_service_34_0) true)
+(expandtypeattribute (resourcecache_data_file_34_0) true)
+(expandtypeattribute (resources_manager_service_34_0) true)
+(expandtypeattribute (restorecon_prop_34_0) true)
+(expandtypeattribute (restrictions_service_34_0) true)
+(expandtypeattribute (retaildemo_prop_34_0) true)
+(expandtypeattribute (rild_debug_socket_34_0) true)
+(expandtypeattribute (rild_socket_34_0) true)
+(expandtypeattribute (ringtone_file_34_0) true)
+(expandtypeattribute (rkpdapp_34_0) true)
+(expandtypeattribute (role_service_34_0) true)
+(expandtypeattribute (rollback_service_34_0) true)
+(expandtypeattribute (root_block_device_34_0) true)
+(expandtypeattribute (rootdisk_sysdev_34_0) true)
+(expandtypeattribute (rootfs_34_0) true)
+(expandtypeattribute (rpmsg_device_34_0) true)
+(expandtypeattribute (rs_34_0) true)
+(expandtypeattribute (rs_exec_34_0) true)
+(expandtypeattribute (rss_hwm_reset_34_0) true)
+(expandtypeattribute (rtc_device_34_0) true)
+(expandtypeattribute (rttmanager_service_34_0) true)
+(expandtypeattribute (runas_34_0) true)
+(expandtypeattribute (runas_app_34_0) true)
+(expandtypeattribute (runas_exec_34_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_34_0) true)
+(expandtypeattribute (runtime_service_34_0) true)
+(expandtypeattribute (safemode_prop_34_0) true)
+(expandtypeattribute (same_process_hal_file_34_0) true)
+(expandtypeattribute (samplingprofiler_service_34_0) true)
+(expandtypeattribute (scheduling_policy_service_34_0) true)
+(expandtypeattribute (sdcard_block_device_34_0) true)
+(expandtypeattribute (sdcardd_34_0) true)
+(expandtypeattribute (sdcardd_exec_34_0) true)
+(expandtypeattribute (sdcardfs_34_0) true)
+(expandtypeattribute (sdk_sandbox_service_34_0) true)
+(expandtypeattribute (seapp_contexts_file_34_0) true)
+(expandtypeattribute (search_service_34_0) true)
+(expandtypeattribute (search_ui_service_34_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_34_0) true)
+(expandtypeattribute (secure_element_34_0) true)
+(expandtypeattribute (secure_element_device_34_0) true)
+(expandtypeattribute (secure_element_service_34_0) true)
+(expandtypeattribute (securityfs_34_0) true)
+(expandtypeattribute (selection_toolbar_service_34_0) true)
+(expandtypeattribute (selinuxfs_34_0) true)
+(expandtypeattribute (sendbug_config_prop_34_0) true)
+(expandtypeattribute (sensor_privacy_service_34_0) true)
+(expandtypeattribute (sensors_device_34_0) true)
+(expandtypeattribute (sensorservice_service_34_0) true)
+(expandtypeattribute (sepolicy_file_34_0) true)
+(expandtypeattribute (serial_device_34_0) true)
+(expandtypeattribute (serial_service_34_0) true)
+(expandtypeattribute (serialno_prop_34_0) true)
+(expandtypeattribute (server_configurable_flags_data_file_34_0) true)
+(expandtypeattribute (service_contexts_file_34_0) true)
+(expandtypeattribute (service_manager_service_34_0) true)
+(expandtypeattribute (service_manager_vndservice_34_0) true)
+(expandtypeattribute (servicediscovery_service_34_0) true)
+(expandtypeattribute (servicemanager_34_0) true)
+(expandtypeattribute (servicemanager_exec_34_0) true)
+(expandtypeattribute (servicemanager_prop_34_0) true)
+(expandtypeattribute (settings_service_34_0) true)
+(expandtypeattribute (sgdisk_34_0) true)
+(expandtypeattribute (sgdisk_exec_34_0) true)
+(expandtypeattribute (shared_relro_34_0) true)
+(expandtypeattribute (shared_relro_file_34_0) true)
+(expandtypeattribute (shell_34_0) true)
+(expandtypeattribute (shell_data_file_34_0) true)
+(expandtypeattribute (shell_exec_34_0) true)
+(expandtypeattribute (shell_prop_34_0) true)
+(expandtypeattribute (shell_test_data_file_34_0) true)
+(expandtypeattribute (shm_34_0) true)
+(expandtypeattribute (shortcut_manager_icons_34_0) true)
+(expandtypeattribute (shortcut_service_34_0) true)
+(expandtypeattribute (shutdown_checkpoints_system_data_file_34_0) true)
+(expandtypeattribute (simpleperf_34_0) true)
+(expandtypeattribute (simpleperf_app_runner_34_0) true)
+(expandtypeattribute (simpleperf_app_runner_exec_34_0) true)
+(expandtypeattribute (slice_service_34_0) true)
+(expandtypeattribute (slideshow_34_0) true)
+(expandtypeattribute (smart_idle_maint_enabled_prop_34_0) true)
+(expandtypeattribute (smartspace_service_34_0) true)
+(expandtypeattribute (snapshotctl_log_data_file_34_0) true)
+(expandtypeattribute (snapuserd_proxy_socket_34_0) true)
+(expandtypeattribute (snapuserd_socket_34_0) true)
+(expandtypeattribute (soc_prop_34_0) true)
+(expandtypeattribute (socket_device_34_0) true)
+(expandtypeattribute (socket_hook_prop_34_0) true)
+(expandtypeattribute (sockfs_34_0) true)
+(expandtypeattribute (sota_prop_34_0) true)
+(expandtypeattribute (soundtrigger_middleware_service_34_0) true)
+(expandtypeattribute (speech_recognition_service_34_0) true)
+(expandtypeattribute (sqlite_log_prop_34_0) true)
+(expandtypeattribute (staged_install_file_34_0) true)
+(expandtypeattribute (staging_data_file_34_0) true)
+(expandtypeattribute (stats_config_data_file_34_0) true)
+(expandtypeattribute (stats_data_file_34_0) true)
+(expandtypeattribute (statsd_34_0) true)
+(expandtypeattribute (statsd_exec_34_0) true)
+(expandtypeattribute (statsdw_socket_34_0) true)
+(expandtypeattribute (statusbar_service_34_0) true)
+(expandtypeattribute (storage_config_prop_34_0) true)
+(expandtypeattribute (storage_file_34_0) true)
+(expandtypeattribute (storage_stub_file_34_0) true)
+(expandtypeattribute (storaged_service_34_0) true)
+(expandtypeattribute (storagemanager_config_prop_34_0) true)
+(expandtypeattribute (storagestats_service_34_0) true)
+(expandtypeattribute (su_34_0) true)
+(expandtypeattribute (su_exec_34_0) true)
+(expandtypeattribute (super_block_device_34_0) true)
+(expandtypeattribute (surfaceflinger_34_0) true)
+(expandtypeattribute (surfaceflinger_color_prop_34_0) true)
+(expandtypeattribute (surfaceflinger_display_prop_34_0) true)
+(expandtypeattribute (surfaceflinger_prop_34_0) true)
+(expandtypeattribute (surfaceflinger_service_34_0) true)
+(expandtypeattribute (surfaceflinger_tmpfs_34_0) true)
+(expandtypeattribute (suspend_prop_34_0) true)
+(expandtypeattribute (swap_block_device_34_0) true)
+(expandtypeattribute (sysfs_34_0) true)
+(expandtypeattribute (sysfs_android_usb_34_0) true)
+(expandtypeattribute (sysfs_batteryinfo_34_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_34_0) true)
+(expandtypeattribute (sysfs_devfreq_cur_34_0) true)
+(expandtypeattribute (sysfs_devfreq_dir_34_0) true)
+(expandtypeattribute (sysfs_devices_block_34_0) true)
+(expandtypeattribute (sysfs_devices_cs_etm_34_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_34_0) true)
+(expandtypeattribute (sysfs_dm_34_0) true)
+(expandtypeattribute (sysfs_dm_verity_34_0) true)
+(expandtypeattribute (sysfs_dma_heap_34_0) true)
+(expandtypeattribute (sysfs_dmabuf_stats_34_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_34_0) true)
+(expandtypeattribute (sysfs_extcon_34_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_34_0) true)
+(expandtypeattribute (sysfs_fs_f2fs_34_0) true)
+(expandtypeattribute (sysfs_fs_fuse_bpf_34_0) true)
+(expandtypeattribute (sysfs_fs_fuse_features_34_0) true)
+(expandtypeattribute (sysfs_fs_incfs_features_34_0) true)
+(expandtypeattribute (sysfs_fs_incfs_metrics_34_0) true)
+(expandtypeattribute (sysfs_gpu_34_0) true)
+(expandtypeattribute (sysfs_hwrandom_34_0) true)
+(expandtypeattribute (sysfs_ion_34_0) true)
+(expandtypeattribute (sysfs_ipv4_34_0) true)
+(expandtypeattribute (sysfs_kernel_notes_34_0) true)
+(expandtypeattribute (sysfs_leds_34_0) true)
+(expandtypeattribute (sysfs_loop_34_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_34_0) true)
+(expandtypeattribute (sysfs_lru_gen_enabled_34_0) true)
+(expandtypeattribute (sysfs_net_34_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_34_0) true)
+(expandtypeattribute (sysfs_power_34_0) true)
+(expandtypeattribute (sysfs_rtc_34_0) true)
+(expandtypeattribute (sysfs_suspend_stats_34_0) true)
+(expandtypeattribute (sysfs_switch_34_0) true)
+(expandtypeattribute (sysfs_thermal_34_0) true)
+(expandtypeattribute (sysfs_transparent_hugepage_34_0) true)
+(expandtypeattribute (sysfs_uhid_34_0) true)
+(expandtypeattribute (sysfs_uio_34_0) true)
+(expandtypeattribute (sysfs_usb_34_0) true)
+(expandtypeattribute (sysfs_usermodehelper_34_0) true)
+(expandtypeattribute (sysfs_vendor_sched_34_0) true)
+(expandtypeattribute (sysfs_vibrator_34_0) true)
+(expandtypeattribute (sysfs_wake_lock_34_0) true)
+(expandtypeattribute (sysfs_wakeup_34_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_34_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_34_0) true)
+(expandtypeattribute (sysfs_zram_34_0) true)
+(expandtypeattribute (sysfs_zram_uevent_34_0) true)
+(expandtypeattribute (system_app_34_0) true)
+(expandtypeattribute (system_app_data_file_34_0) true)
+(expandtypeattribute (system_app_service_34_0) true)
+(expandtypeattribute (system_asan_options_file_34_0) true)
+(expandtypeattribute (system_block_device_34_0) true)
+(expandtypeattribute (system_boot_reason_prop_34_0) true)
+(expandtypeattribute (system_bootstrap_lib_file_34_0) true)
+(expandtypeattribute (system_config_service_34_0) true)
+(expandtypeattribute (system_data_file_34_0) true)
+(expandtypeattribute (system_data_root_file_34_0) true)
+(expandtypeattribute (system_dlkm_file_34_0) true)
+(expandtypeattribute (system_event_log_tags_file_34_0) true)
+(expandtypeattribute (system_file_34_0) true)
+(expandtypeattribute (system_group_file_34_0) true)
+(expandtypeattribute (system_jvmti_agent_prop_34_0) true)
+(expandtypeattribute (system_lib_file_34_0) true)
+(expandtypeattribute (system_linker_config_file_34_0) true)
+(expandtypeattribute (system_linker_exec_34_0) true)
+(expandtypeattribute (system_lmk_prop_34_0) true)
+(expandtypeattribute (system_ndebug_socket_34_0) true)
+(expandtypeattribute (system_net_netd_hwservice_34_0) true)
+(expandtypeattribute (system_net_netd_service_34_0) true)
+(expandtypeattribute (system_passwd_file_34_0) true)
+(expandtypeattribute (system_prop_34_0) true)
+(expandtypeattribute (system_seccomp_policy_file_34_0) true)
+(expandtypeattribute (system_security_cacerts_file_34_0) true)
+(expandtypeattribute (system_server_34_0) true)
+(expandtypeattribute (system_server_dumper_service_34_0) true)
+(expandtypeattribute (system_server_tmpfs_34_0) true)
+(expandtypeattribute (system_suspend_control_internal_service_34_0) true)
+(expandtypeattribute (system_suspend_control_service_34_0) true)
+(expandtypeattribute (system_suspend_hwservice_34_0) true)
+(expandtypeattribute (system_trace_prop_34_0) true)
+(expandtypeattribute (system_unsolzygote_socket_34_0) true)
+(expandtypeattribute (system_update_service_34_0) true)
+(expandtypeattribute (system_user_mode_emulation_prop_34_0) true)
+(expandtypeattribute (system_userdir_file_34_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_34_0) true)
+(expandtypeattribute (system_wpa_socket_34_0) true)
+(expandtypeattribute (system_zoneinfo_file_34_0) true)
+(expandtypeattribute (systemkeys_data_file_34_0) true)
+(expandtypeattribute (systemsound_config_prop_34_0) true)
+(expandtypeattribute (tare_service_34_0) true)
+(expandtypeattribute (task_profiles_api_file_34_0) true)
+(expandtypeattribute (task_profiles_file_34_0) true)
+(expandtypeattribute (task_service_34_0) true)
+(expandtypeattribute (tcpdump_exec_34_0) true)
+(expandtypeattribute (tee_34_0) true)
+(expandtypeattribute (tee_data_file_34_0) true)
+(expandtypeattribute (tee_device_34_0) true)
+(expandtypeattribute (telecom_service_34_0) true)
+(expandtypeattribute (telephony_config_prop_34_0) true)
+(expandtypeattribute (telephony_status_prop_34_0) true)
+(expandtypeattribute (test_boot_reason_prop_34_0) true)
+(expandtypeattribute (test_harness_prop_34_0) true)
+(expandtypeattribute (testharness_service_34_0) true)
+(expandtypeattribute (tethering_service_34_0) true)
+(expandtypeattribute (textclassification_service_34_0) true)
+(expandtypeattribute (textclassifier_data_file_34_0) true)
+(expandtypeattribute (textservices_service_34_0) true)
+(expandtypeattribute (texttospeech_service_34_0) true)
+(expandtypeattribute (theme_prop_34_0) true)
+(expandtypeattribute (thermal_service_34_0) true)
+(expandtypeattribute (time_prop_34_0) true)
+(expandtypeattribute (timedetector_service_34_0) true)
+(expandtypeattribute (timezone_prop_34_0) true)
+(expandtypeattribute (timezonedetector_service_34_0) true)
+(expandtypeattribute (tmpfs_34_0) true)
+(expandtypeattribute (tombstone_config_prop_34_0) true)
+(expandtypeattribute (tombstone_data_file_34_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_34_0) true)
+(expandtypeattribute (tombstoned_34_0) true)
+(expandtypeattribute (tombstoned_crash_socket_34_0) true)
+(expandtypeattribute (tombstoned_exec_34_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_34_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_34_0) true)
+(expandtypeattribute (toolbox_34_0) true)
+(expandtypeattribute (toolbox_exec_34_0) true)
+(expandtypeattribute (trace_data_file_34_0) true)
+(expandtypeattribute (traced_34_0) true)
+(expandtypeattribute (traced_consumer_socket_34_0) true)
+(expandtypeattribute (traced_enabled_prop_34_0) true)
+(expandtypeattribute (traced_lazy_prop_34_0) true)
+(expandtypeattribute (traced_oome_heap_session_count_prop_34_0) true)
+(expandtypeattribute (traced_perf_34_0) true)
+(expandtypeattribute (traced_perf_socket_34_0) true)
+(expandtypeattribute (traced_probes_34_0) true)
+(expandtypeattribute (traced_producer_socket_34_0) true)
+(expandtypeattribute (traced_tmpfs_34_0) true)
+(expandtypeattribute (traceur_app_34_0) true)
+(expandtypeattribute (translation_service_34_0) true)
+(expandtypeattribute (trust_service_34_0) true)
+(expandtypeattribute (tty_device_34_0) true)
+(expandtypeattribute (tun_device_34_0) true)
+(expandtypeattribute (tuner_config_prop_34_0) true)
+(expandtypeattribute (tv_iapp_service_34_0) true)
+(expandtypeattribute (tv_input_service_34_0) true)
+(expandtypeattribute (tv_tuner_resource_mgr_service_34_0) true)
+(expandtypeattribute (ublk_block_device_34_0) true)
+(expandtypeattribute (ublk_control_device_34_0) true)
+(expandtypeattribute (ueventd_34_0) true)
+(expandtypeattribute (ueventd_tmpfs_34_0) true)
+(expandtypeattribute (uhid_device_34_0) true)
+(expandtypeattribute (uimode_service_34_0) true)
+(expandtypeattribute (uio_device_34_0) true)
+(expandtypeattribute (uncrypt_34_0) true)
+(expandtypeattribute (uncrypt_exec_34_0) true)
+(expandtypeattribute (uncrypt_socket_34_0) true)
+(expandtypeattribute (unencrypted_data_file_34_0) true)
+(expandtypeattribute (unlabeled_34_0) true)
+(expandtypeattribute (untrusted_app_25_34_0) true)
+(expandtypeattribute (untrusted_app_27_34_0) true)
+(expandtypeattribute (untrusted_app_29_34_0) true)
+(expandtypeattribute (untrusted_app_30_34_0) true)
+(expandtypeattribute (untrusted_app_32_34_0) true)
+(expandtypeattribute (untrusted_app_34_0) true)
+(expandtypeattribute (update_engine_34_0) true)
+(expandtypeattribute (update_engine_data_file_34_0) true)
+(expandtypeattribute (update_engine_exec_34_0) true)
+(expandtypeattribute (update_engine_log_data_file_34_0) true)
+(expandtypeattribute (update_engine_service_34_0) true)
+(expandtypeattribute (update_engine_stable_service_34_0) true)
+(expandtypeattribute (update_verifier_34_0) true)
+(expandtypeattribute (update_verifier_exec_34_0) true)
+(expandtypeattribute (updatelock_service_34_0) true)
+(expandtypeattribute (uri_grants_service_34_0) true)
+(expandtypeattribute (usagestats_service_34_0) true)
+(expandtypeattribute (usb_config_prop_34_0) true)
+(expandtypeattribute (usb_control_prop_34_0) true)
+(expandtypeattribute (usb_device_34_0) true)
+(expandtypeattribute (usb_prop_34_0) true)
+(expandtypeattribute (usb_serial_device_34_0) true)
+(expandtypeattribute (usb_service_34_0) true)
+(expandtypeattribute (usb_uvc_enabled_prop_34_0) true)
+(expandtypeattribute (usbaccessory_device_34_0) true)
+(expandtypeattribute (usbd_34_0) true)
+(expandtypeattribute (usbd_exec_34_0) true)
+(expandtypeattribute (usbfs_34_0) true)
+(expandtypeattribute (use_memfd_prop_34_0) true)
+(expandtypeattribute (user_profile_data_file_34_0) true)
+(expandtypeattribute (user_profile_root_file_34_0) true)
+(expandtypeattribute (user_service_34_0) true)
+(expandtypeattribute (userdata_block_device_34_0) true)
+(expandtypeattribute (userdata_sysdev_34_0) true)
+(expandtypeattribute (userdebug_or_eng_prop_34_0) true)
+(expandtypeattribute (usermodehelper_34_0) true)
+(expandtypeattribute (userspace_reboot_config_prop_34_0) true)
+(expandtypeattribute (userspace_reboot_exported_prop_34_0) true)
+(expandtypeattribute (userspace_reboot_metadata_file_34_0) true)
+(expandtypeattribute (uwb_service_34_0) true)
+(expandtypeattribute (vcn_management_service_34_0) true)
+(expandtypeattribute (vd_device_34_0) true)
+(expandtypeattribute (vdc_34_0) true)
+(expandtypeattribute (vdc_exec_34_0) true)
+(expandtypeattribute (vehicle_hal_prop_34_0) true)
+(expandtypeattribute (vendor_apex_file_34_0) true)
+(expandtypeattribute (vendor_app_file_34_0) true)
+(expandtypeattribute (vendor_cgroup_desc_file_34_0) true)
+(expandtypeattribute (vendor_configs_file_34_0) true)
+(expandtypeattribute (vendor_data_file_34_0) true)
+(expandtypeattribute (vendor_default_prop_34_0) true)
+(expandtypeattribute (vendor_file_34_0) true)
+(expandtypeattribute (vendor_framework_file_34_0) true)
+(expandtypeattribute (vendor_hal_file_34_0) true)
+(expandtypeattribute (vendor_idc_file_34_0) true)
+(expandtypeattribute (vendor_init_34_0) true)
+(expandtypeattribute (vendor_kernel_modules_34_0) true)
+(expandtypeattribute (vendor_keychars_file_34_0) true)
+(expandtypeattribute (vendor_keylayout_file_34_0) true)
+(expandtypeattribute (vendor_misc_writer_34_0) true)
+(expandtypeattribute (vendor_misc_writer_exec_34_0) true)
+(expandtypeattribute (vendor_modprobe_34_0) true)
+(expandtypeattribute (vendor_overlay_file_34_0) true)
+(expandtypeattribute (vendor_public_framework_file_34_0) true)
+(expandtypeattribute (vendor_public_lib_file_34_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_34_0) true)
+(expandtypeattribute (vendor_service_contexts_file_34_0) true)
+(expandtypeattribute (vendor_shell_34_0) true)
+(expandtypeattribute (vendor_shell_exec_34_0) true)
+(expandtypeattribute (vendor_socket_hook_prop_34_0) true)
+(expandtypeattribute (vendor_task_profiles_file_34_0) true)
+(expandtypeattribute (vendor_toolbox_exec_34_0) true)
+(expandtypeattribute (vendor_userdir_file_34_0) true)
+(expandtypeattribute (vendor_uuid_mapping_config_file_34_0) true)
+(expandtypeattribute (vendor_vm_data_file_34_0) true)
+(expandtypeattribute (vendor_vm_file_34_0) true)
+(expandtypeattribute (vfat_34_0) true)
+(expandtypeattribute (vibrator_manager_service_34_0) true)
+(expandtypeattribute (vibrator_service_34_0) true)
+(expandtypeattribute (video_device_34_0) true)
+(expandtypeattribute (virtual_ab_prop_34_0) true)
+(expandtypeattribute (virtual_device_service_34_0) true)
+(expandtypeattribute (virtual_face_hal_prop_34_0) true)
+(expandtypeattribute (virtual_fingerprint_hal_prop_34_0) true)
+(expandtypeattribute (virtual_touchpad_34_0) true)
+(expandtypeattribute (virtual_touchpad_exec_34_0) true)
+(expandtypeattribute (virtual_touchpad_service_34_0) true)
+(expandtypeattribute (virtualization_service_34_0) true)
+(expandtypeattribute (vndbinder_device_34_0) true)
+(expandtypeattribute (vndk_prop_34_0) true)
+(expandtypeattribute (vndk_sp_file_34_0) true)
+(expandtypeattribute (vndservice_contexts_file_34_0) true)
+(expandtypeattribute (vndservicemanager_34_0) true)
+(expandtypeattribute (voiceinteraction_service_34_0) true)
+(expandtypeattribute (vold_34_0) true)
+(expandtypeattribute (vold_config_prop_34_0) true)
+(expandtypeattribute (vold_data_file_34_0) true)
+(expandtypeattribute (vold_device_34_0) true)
+(expandtypeattribute (vold_exec_34_0) true)
+(expandtypeattribute (vold_metadata_file_34_0) true)
+(expandtypeattribute (vold_post_fs_data_prop_34_0) true)
+(expandtypeattribute (vold_prepare_subdirs_34_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_34_0) true)
+(expandtypeattribute (vold_prop_34_0) true)
+(expandtypeattribute (vold_service_34_0) true)
+(expandtypeattribute (vold_status_prop_34_0) true)
+(expandtypeattribute (vpn_data_file_34_0) true)
+(expandtypeattribute (vpn_management_service_34_0) true)
+(expandtypeattribute (vr_hwc_service_34_0) true)
+(expandtypeattribute (vr_manager_service_34_0) true)
+(expandtypeattribute (vrflinger_vsync_service_34_0) true)
+(expandtypeattribute (vts_config_prop_34_0) true)
+(expandtypeattribute (vts_status_prop_34_0) true)
+(expandtypeattribute (wallpaper_effects_generation_service_34_0) true)
+(expandtypeattribute (wallpaper_file_34_0) true)
+(expandtypeattribute (wallpaper_service_34_0) true)
+(expandtypeattribute (watchdog_device_34_0) true)
+(expandtypeattribute (watchdog_metadata_file_34_0) true)
+(expandtypeattribute (watchdogd_34_0) true)
+(expandtypeattribute (watchdogd_exec_34_0) true)
+(expandtypeattribute (webview_zygote_34_0) true)
+(expandtypeattribute (webview_zygote_exec_34_0) true)
+(expandtypeattribute (webview_zygote_tmpfs_34_0) true)
+(expandtypeattribute (webviewupdate_service_34_0) true)
+(expandtypeattribute (wifi_config_prop_34_0) true)
+(expandtypeattribute (wifi_data_file_34_0) true)
+(expandtypeattribute (wifi_hal_prop_34_0) true)
+(expandtypeattribute (wifi_key_34_0) true)
+(expandtypeattribute (wifi_log_prop_34_0) true)
+(expandtypeattribute (wifi_prop_34_0) true)
+(expandtypeattribute (wifi_service_34_0) true)
+(expandtypeattribute (wifiaware_service_34_0) true)
+(expandtypeattribute (wificond_34_0) true)
+(expandtypeattribute (wificond_exec_34_0) true)
+(expandtypeattribute (wifinl80211_service_34_0) true)
+(expandtypeattribute (wifip2p_service_34_0) true)
+(expandtypeattribute (wifiscanner_service_34_0) true)
+(expandtypeattribute (window_service_34_0) true)
+(expandtypeattribute (wpa_socket_34_0) true)
+(expandtypeattribute (zero_device_34_0) true)
+(expandtypeattribute (zoned_block_device_34_0) true)
+(expandtypeattribute (zram_config_prop_34_0) true)
+(expandtypeattribute (zram_control_prop_34_0) true)
+(expandtypeattribute (zygote_34_0) true)
+(expandtypeattribute (zygote_config_prop_34_0) true)
+(expandtypeattribute (zygote_exec_34_0) true)
+(expandtypeattribute (zygote_socket_34_0) true)
+(expandtypeattribute (zygote_tmpfs_34_0) true)
+(typeattributeset DockObserver_service_34_0 (DockObserver_service))
+(typeattributeset IProxyService_service_34_0 (IProxyService_service))
+(typeattributeset aac_drc_prop_34_0 (aac_drc_prop))
+(typeattributeset aaudio_config_prop_34_0 (aaudio_config_prop))
+(typeattributeset ab_update_gki_prop_34_0 (ab_update_gki_prop))
+(typeattributeset accessibility_service_34_0 (accessibility_service))
+(typeattributeset account_service_34_0 (account_service))
+(typeattributeset activity_service_34_0 (activity_service))
+(typeattributeset activity_task_service_34_0 (activity_task_service))
+(typeattributeset adaptive_haptics_prop_34_0 (adaptive_haptics_prop))
+(typeattributeset adb_data_file_34_0 (adb_data_file))
+(typeattributeset adb_keys_file_34_0 (adb_keys_file))
+(typeattributeset adb_service_34_0 (adb_service))
+(typeattributeset adbd_34_0 (adbd))
+(typeattributeset adbd_config_prop_34_0 (adbd_config_prop))
+(typeattributeset adbd_exec_34_0 (adbd_exec))
+(typeattributeset adbd_socket_34_0 (adbd_socket))
+(typeattributeset adservices_manager_service_34_0 (adservices_manager_service))
+(typeattributeset aidl_lazy_test_server_34_0 (aidl_lazy_test_server))
+(typeattributeset aidl_lazy_test_server_exec_34_0 (aidl_lazy_test_server_exec))
+(typeattributeset aidl_lazy_test_service_34_0 (aidl_lazy_test_service))
+(typeattributeset alarm_service_34_0 (alarm_service))
+(typeattributeset anr_data_file_34_0 (anr_data_file))
+(typeattributeset apc_service_34_0 (apc_service))
+(typeattributeset apex_data_file_34_0 (apex_data_file))
+(typeattributeset apex_info_file_34_0 (apex_info_file))
+(typeattributeset apex_metadata_file_34_0 (apex_metadata_file))
+(typeattributeset apex_mnt_dir_34_0 (apex_mnt_dir))
+(typeattributeset apex_module_data_file_34_0 (apex_module_data_file))
+(typeattributeset apex_ota_reserved_file_34_0 (apex_ota_reserved_file))
+(typeattributeset apex_ready_prop_34_0 (apex_ready_prop))
+(typeattributeset apex_rollback_data_file_34_0 (apex_rollback_data_file))
+(typeattributeset apex_service_34_0 (apex_service))
+(typeattributeset apex_system_server_data_file_34_0 (apex_system_server_data_file))
+(typeattributeset apexd_34_0 (apexd))
+(typeattributeset apexd_config_prop_34_0 (apexd_config_prop))
+(typeattributeset apexd_exec_34_0 (apexd_exec))
+(typeattributeset apexd_prop_34_0 (apexd_prop))
+(typeattributeset apexd_select_prop_34_0 (apexd_select_prop))
+(typeattributeset apk_data_file_34_0 (apk_data_file))
+(typeattributeset apk_private_data_file_34_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_34_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_34_0 (apk_tmp_file))
+(typeattributeset apk_verity_prop_34_0 (apk_verity_prop))
+(typeattributeset app_binding_service_34_0 (app_binding_service))
+(typeattributeset app_data_file_34_0 (app_data_file))
+(typeattributeset app_fuse_file_34_0 (app_fuse_file))
+(typeattributeset app_fusefs_34_0 (app_fusefs))
+(typeattributeset app_hibernation_service_34_0 (app_hibernation_service))
+(typeattributeset app_integrity_service_34_0 (app_integrity_service))
+(typeattributeset app_prediction_service_34_0 (app_prediction_service))
+(typeattributeset app_search_service_34_0 (app_search_service))
+(typeattributeset app_zygote_34_0 (app_zygote))
+(typeattributeset app_zygote_tmpfs_34_0 (app_zygote_tmpfs))
+(typeattributeset appcompat_data_file_34_0 (appcompat_data_file))
+(typeattributeset appdomain_tmpfs_34_0 (appdomain_tmpfs))
+(typeattributeset appops_service_34_0 (appops_service))
+(typeattributeset appwidget_service_34_0 (appwidget_service))
+(typeattributeset arm64_memtag_prop_34_0 (arm64_memtag_prop))
+(typeattributeset art_apex_dir_34_0 (art_apex_dir))
+(typeattributeset artd_34_0 (artd))
+(typeattributeset artd_service_34_0 (artd_service))
+(typeattributeset asec_apk_file_34_0 (asec_apk_file))
+(typeattributeset asec_image_file_34_0 (asec_image_file))
+(typeattributeset asec_public_file_34_0 (asec_public_file))
+(typeattributeset ashmem_device_34_0 (ashmem_device))
+(typeattributeset ashmem_libcutils_device_34_0 (ashmem_libcutils_device))
+(typeattributeset assetatlas_service_34_0 (assetatlas_service))
+(typeattributeset atrace_34_0 (atrace))
+(typeattributeset attestation_verification_service_34_0 (attestation_verification_service))
+(typeattributeset audio_config_prop_34_0 (audio_config_prop))
+(typeattributeset audio_data_file_34_0 (audio_data_file))
+(typeattributeset audio_device_34_0 (audio_device))
+(typeattributeset audio_prop_34_0 (audio_prop))
+(typeattributeset audio_service_34_0 (audio_service))
+(typeattributeset audiohal_data_file_34_0 (audiohal_data_file))
+(typeattributeset audioserver_34_0 (audioserver))
+(typeattributeset audioserver_data_file_34_0 (audioserver_data_file))
+(typeattributeset audioserver_service_34_0 (audioserver_service))
+(typeattributeset audioserver_tmpfs_34_0 (audioserver_tmpfs))
+(typeattributeset auth_service_34_0 (auth_service))
+(typeattributeset authorization_service_34_0 (authorization_service))
+(typeattributeset autofill_service_34_0 (autofill_service))
+(typeattributeset backup_data_file_34_0 (backup_data_file))
+(typeattributeset backup_service_34_0 (backup_service))
+(typeattributeset battery_service_34_0 (battery_service))
+(typeattributeset batteryproperties_service_34_0 (batteryproperties_service))
+(typeattributeset batterystats_service_34_0 (batterystats_service))
+(typeattributeset binder_cache_bluetooth_server_prop_34_0 (binder_cache_bluetooth_server_prop))
+(typeattributeset binder_cache_system_server_prop_34_0 (binder_cache_system_server_prop))
+(typeattributeset binder_cache_telephony_server_prop_34_0 (binder_cache_telephony_server_prop))
+(typeattributeset binder_calls_stats_service_34_0 (binder_calls_stats_service))
+(typeattributeset binder_device_34_0 (binder_device))
+(typeattributeset binderfs_34_0 (binderfs))
+(typeattributeset binderfs_features_34_0 (binderfs_features))
+(typeattributeset binderfs_logs_34_0 (binderfs_logs))
+(typeattributeset binderfs_logs_proc_34_0 (binderfs_logs_proc))
+(typeattributeset binfmt_miscfs_34_0 (binfmt_miscfs))
+(typeattributeset biometric_service_34_0 (biometric_service))
+(typeattributeset blkid_34_0 (blkid))
+(typeattributeset blkid_untrusted_34_0 (blkid_untrusted))
+(typeattributeset blob_store_service_34_0 (blob_store_service))
+(typeattributeset block_device_34_0 (block_device))
+(typeattributeset bluetooth_34_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_34_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_audio_hal_prop_34_0 (bluetooth_audio_hal_prop))
+(typeattributeset bluetooth_config_prop_34_0 (bluetooth_config_prop))
+(typeattributeset bluetooth_data_file_34_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_34_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_34_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_34_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_34_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_34_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_34_0 (bluetooth_socket))
+(typeattributeset boot_block_device_34_0 (boot_block_device))
+(typeattributeset boot_status_prop_34_0 (boot_status_prop))
+(typeattributeset bootanim_34_0 (bootanim))
+(typeattributeset bootanim_config_prop_34_0 (bootanim_config_prop))
+(typeattributeset bootanim_exec_34_0 (bootanim_exec))
+(typeattributeset bootanim_system_prop_34_0 (bootanim_system_prop))
+(typeattributeset bootchart_data_file_34_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_34_0 (bootloader_boot_reason_prop))
+(typeattributeset bootloader_prop_34_0 (bootloader_prop))
+(typeattributeset bootstat_34_0 (bootstat))
+(typeattributeset bootstat_data_file_34_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_34_0 (bootstat_exec))
+(typeattributeset boottime_prop_34_0 (boottime_prop))
+(typeattributeset boottime_public_prop_34_0 (boottime_public_prop))
+(typeattributeset boottrace_data_file_34_0 (boottrace_data_file))
+(typeattributeset bpf_progs_loaded_prop_34_0 (bpf_progs_loaded_prop))
+(typeattributeset bpfloader_34_0 (bpfloader))
+(typeattributeset bq_config_prop_34_0 (bq_config_prop))
+(typeattributeset broadcastradio_service_34_0 (broadcastradio_service))
+(typeattributeset bt_device_34_0 (bt_device))
+(typeattributeset bufferhubd_34_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_34_0 (bufferhubd_exec))
+(typeattributeset bugreport_service_34_0 (bugreport_service))
+(typeattributeset build_attestation_prop_34_0 (build_attestation_prop))
+(typeattributeset build_bootimage_prop_34_0 (build_bootimage_prop))
+(typeattributeset build_config_prop_34_0 (build_config_prop))
+(typeattributeset build_odm_prop_34_0 (build_odm_prop))
+(typeattributeset build_prop_34_0 (build_prop))
+(typeattributeset build_vendor_prop_34_0 (build_vendor_prop))
+(typeattributeset cache_backup_file_34_0 (cache_backup_file))
+(typeattributeset cache_block_device_34_0 (cache_block_device))
+(typeattributeset cache_file_34_0 (cache_file))
+(typeattributeset cache_private_backup_file_34_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_34_0 (cache_recovery_file))
+(typeattributeset cacheinfo_service_34_0 (cacheinfo_service))
+(typeattributeset camera2_extensions_prop_34_0 (camera2_extensions_prop))
+(typeattributeset camera_calibration_prop_34_0 (camera_calibration_prop))
+(typeattributeset camera_config_prop_34_0 (camera_config_prop))
+(typeattributeset camera_data_file_34_0 (camera_data_file))
+(typeattributeset camera_device_34_0 (camera_device))
+(typeattributeset cameraproxy_service_34_0 (cameraproxy_service))
+(typeattributeset cameraserver_34_0 (cameraserver))
+(typeattributeset cameraserver_exec_34_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_34_0 (cameraserver_service))
+(typeattributeset cameraserver_tmpfs_34_0 (cameraserver_tmpfs))
+(typeattributeset camerax_extensions_prop_34_0 (camerax_extensions_prop))
+(typeattributeset cgroup_34_0 (cgroup))
+(typeattributeset cgroup_desc_api_file_34_0 (cgroup_desc_api_file))
+(typeattributeset cgroup_desc_file_34_0 (cgroup_desc_file))
+(typeattributeset cgroup_rc_file_34_0 (cgroup_rc_file))
+(typeattributeset cgroup_v2_34_0 (cgroup_v2))
+(typeattributeset charger_34_0 (charger))
+(typeattributeset charger_config_prop_34_0 (charger_config_prop))
+(typeattributeset charger_exec_34_0 (charger_exec))
+(typeattributeset charger_prop_34_0 (charger_prop))
+(typeattributeset charger_status_prop_34_0 (charger_status_prop))
+(typeattributeset charger_vendor_34_0 (charger_vendor))
+(typeattributeset clipboard_service_34_0 (clipboard_service))
+(typeattributeset cloudsearch_service_34_0 (cloudsearch_service))
+(typeattributeset codec2_config_prop_34_0 (codec2_config_prop))
+(typeattributeset cold_boot_done_prop_34_0 (cold_boot_done_prop))
+(typeattributeset color_display_service_34_0 (color_display_service))
+(typeattributeset companion_device_service_34_0 (companion_device_service))
+(typeattributeset composd_vm_art_prop_34_0 (composd_vm_art_prop))
+(typeattributeset composd_vm_vendor_prop_34_0 (composd_vm_vendor_prop))
+(typeattributeset config_prop_34_0 (config_prop))
+(typeattributeset configfs_34_0 (configfs))
+(typeattributeset connectivity_native_service_34_0 (connectivity_native_service))
+(typeattributeset connectivity_service_34_0 (connectivity_service))
+(typeattributeset connmetrics_service_34_0 (connmetrics_service))
+(typeattributeset console_device_34_0 (console_device))
+(typeattributeset consumer_ir_service_34_0 (consumer_ir_service))
+(typeattributeset content_capture_service_34_0 (content_capture_service))
+(typeattributeset content_service_34_0 (content_service))
+(typeattributeset content_suggestions_service_34_0 (content_suggestions_service))
+(typeattributeset contexthub_service_34_0 (contexthub_service))
+(typeattributeset coredump_file_34_0 (coredump_file))
+(typeattributeset country_detector_service_34_0 (country_detector_service))
+(typeattributeset coverage_service_34_0 (coverage_service))
+(typeattributeset cppreopt_prop_34_0 (cppreopt_prop))
+(typeattributeset cpu_monitor_service_34_0 (cpu_monitor_service))
+(typeattributeset cpu_variant_prop_34_0 (cpu_variant_prop))
+(typeattributeset cpuinfo_service_34_0 (cpuinfo_service))
+(typeattributeset crash_dump_34_0 (crash_dump))
+(typeattributeset crash_dump_exec_34_0 (crash_dump_exec))
+(typeattributeset credential_service_34_0 (credential_service))
+(typeattributeset credstore_34_0 (credstore))
+(typeattributeset credstore_data_file_34_0 (credstore_data_file))
+(typeattributeset credstore_exec_34_0 (credstore_exec))
+(typeattributeset credstore_service_34_0 (credstore_service))
+(typeattributeset crossprofileapps_service_34_0 (crossprofileapps_service))
+(typeattributeset ctl_adbd_prop_34_0 (ctl_adbd_prop))
+(typeattributeset ctl_apexd_prop_34_0 (ctl_apexd_prop))
+(typeattributeset ctl_bootanim_prop_34_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_34_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_34_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_34_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_34_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_34_0 (ctl_fuse_prop))
+(typeattributeset ctl_gsid_prop_34_0 (ctl_gsid_prop))
+(typeattributeset ctl_interface_restart_prop_34_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_34_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_34_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_34_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_34_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_34_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_34_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_34_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_34_0 (ctl_stop_prop))
+(typeattributeset dalvik_config_prop_34_0 (dalvik_config_prop))
+(typeattributeset dalvik_dynamic_config_prop_34_0 (dalvik_dynamic_config_prop))
+(typeattributeset dalvik_prop_34_0 (dalvik_prop))
+(typeattributeset dalvik_runtime_prop_34_0 (dalvik_runtime_prop))
+(typeattributeset dalvikcache_data_file_34_0 (dalvikcache_data_file))
+(typeattributeset dataloader_manager_service_34_0 (dataloader_manager_service))
+(typeattributeset dbinfo_service_34_0 (dbinfo_service))
+(typeattributeset dck_prop_34_0 (dck_prop))
+(typeattributeset debug_prop_34_0 (debug_prop))
+(typeattributeset debugfs_34_0 (debugfs))
+(typeattributeset debugfs_bootreceiver_tracing_34_0 (debugfs_bootreceiver_tracing))
+(typeattributeset debugfs_kprobes_34_0 (debugfs_kprobes))
+(typeattributeset debugfs_mm_events_tracing_34_0 (debugfs_mm_events_tracing))
+(typeattributeset debugfs_mmc_34_0 (debugfs_mmc))
+(typeattributeset debugfs_restriction_prop_34_0 (debugfs_restriction_prop))
+(typeattributeset debugfs_trace_marker_34_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_34_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_34_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_34_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_tracing_printk_formats_34_0 (debugfs_tracing_printk_formats))
+(typeattributeset debugfs_wakeup_sources_34_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_34_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_34_0 (debuggerd_prop))
+(typeattributeset default_android_hwservice_34_0 (default_android_hwservice))
+(typeattributeset default_android_service_34_0 (default_android_service))
+(typeattributeset default_android_vndservice_34_0 (default_android_vndservice))
+(typeattributeset default_prop_34_0 (default_prop))
+(typeattributeset dev_cpu_variant_34_0 (dev_cpu_variant))
+(typeattributeset device_34_0 (device vfio_device))
+(typeattributeset device_config_activity_manager_native_boot_prop_34_0 (device_config_activity_manager_native_boot_prop))
+(typeattributeset device_config_boot_count_prop_34_0 (device_config_boot_count_prop))
+(typeattributeset device_config_camera_native_prop_34_0 (device_config_camera_native_prop))
+(typeattributeset device_config_edgetpu_native_prop_34_0 (device_config_edgetpu_native_prop))
+(typeattributeset device_config_input_native_boot_prop_34_0 (device_config_input_native_boot_prop))
+(typeattributeset device_config_media_native_prop_34_0 (device_config_media_native_prop))
+(typeattributeset device_config_memory_safety_native_boot_prop_34_0 (device_config_memory_safety_native_boot_prop))
+(typeattributeset device_config_memory_safety_native_prop_34_0 (device_config_memory_safety_native_prop))
+(typeattributeset device_config_netd_native_prop_34_0 (device_config_netd_native_prop))
+(typeattributeset device_config_nnapi_native_prop_34_0 (device_config_nnapi_native_prop))
+(typeattributeset device_config_reset_performed_prop_34_0 (device_config_reset_performed_prop))
+(typeattributeset device_config_runtime_native_boot_prop_34_0 (device_config_runtime_native_boot_prop))
+(typeattributeset device_config_runtime_native_prop_34_0 (device_config_runtime_native_prop))
+(typeattributeset device_config_service_34_0 (device_config_service))
+(typeattributeset device_config_surface_flinger_native_boot_prop_34_0 (device_config_surface_flinger_native_boot_prop))
+(typeattributeset device_config_updatable_service_34_0 (device_config_updatable_service))
+(typeattributeset device_config_vendor_system_native_boot_prop_34_0 (device_config_vendor_system_native_boot_prop))
+(typeattributeset device_config_vendor_system_native_prop_34_0 (device_config_vendor_system_native_prop))
+(typeattributeset device_identifiers_service_34_0 (device_identifiers_service))
+(typeattributeset device_logging_prop_34_0 (device_logging_prop))
+(typeattributeset device_policy_service_34_0 (device_policy_service))
+(typeattributeset device_state_service_34_0 (device_state_service))
+(typeattributeset deviceidle_service_34_0 (deviceidle_service))
+(typeattributeset devicelock_service_34_0 (devicelock_service))
+(typeattributeset devicestoragemonitor_service_34_0 (devicestoragemonitor_service))
+(typeattributeset devpts_34_0 (devpts))
+(typeattributeset dhcp_34_0 (dhcp))
+(typeattributeset dhcp_data_file_34_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_34_0 (dhcp_exec))
+(typeattributeset dhcp_prop_34_0 (dhcp_prop))
+(typeattributeset diskstats_service_34_0 (diskstats_service))
+(typeattributeset display_service_34_0 (display_service))
+(typeattributeset dm_device_34_0 (dm_device))
+(typeattributeset dm_user_device_34_0 (dm_user_device))
+(typeattributeset dmabuf_heap_device_34_0 (dmabuf_heap_device))
+(typeattributeset dmabuf_system_heap_device_34_0 (dmabuf_system_heap_device))
+(typeattributeset dmabuf_system_secure_heap_device_34_0 (dmabuf_system_secure_heap_device))
+(typeattributeset dnsmasq_34_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_34_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_34_0 (dnsproxyd_socket))
+(typeattributeset dnsresolver_service_34_0 (dnsresolver_service))
+(typeattributeset domain_verification_service_34_0 (domain_verification_service))
+(typeattributeset dreams_service_34_0 (dreams_service))
+(typeattributeset drm_data_file_34_0 (drm_data_file))
+(typeattributeset drm_service_config_prop_34_0 (drm_service_config_prop))
+(typeattributeset drmserver_34_0 (drmserver))
+(typeattributeset drmserver_exec_34_0 (drmserver_exec))
+(typeattributeset drmserver_service_34_0 (drmserver_service))
+(typeattributeset drmserver_socket_34_0 (drmserver_socket))
+(typeattributeset dropbox_data_file_34_0 (dropbox_data_file))
+(typeattributeset dropbox_service_34_0 (dropbox_service))
+(typeattributeset dumpstate_34_0 (dumpstate))
+(typeattributeset dumpstate_exec_34_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_34_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_34_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_34_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_34_0 (dumpstate_socket))
+(typeattributeset dynamic_system_prop_34_0 (dynamic_system_prop))
+(typeattributeset e2fs_34_0 (e2fs))
+(typeattributeset e2fs_exec_34_0 (e2fs_exec))
+(typeattributeset efs_file_34_0 (efs_file))
+(typeattributeset emergency_affordance_service_34_0 (emergency_affordance_service))
+(typeattributeset ephemeral_app_34_0 (ephemeral_app))
+(typeattributeset ethernet_service_34_0 (ethernet_service))
+(typeattributeset evsmanagerd_34_0 (evsmanagerd))
+(typeattributeset evsmanagerd_service_34_0 (evsmanagerd_service))
+(typeattributeset exfat_34_0 (exfat))
+(typeattributeset exported3_system_prop_34_0 (exported3_system_prop))
+(typeattributeset exported_bluetooth_prop_34_0 (exported_bluetooth_prop))
+(typeattributeset exported_camera_prop_34_0 (exported_camera_prop))
+(typeattributeset exported_config_prop_34_0 (exported_config_prop))
+(typeattributeset exported_default_prop_34_0 (exported_default_prop))
+(typeattributeset exported_dumpstate_prop_34_0 (exported_dumpstate_prop))
+(typeattributeset exported_overlay_prop_34_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_34_0 (exported_pm_prop))
+(typeattributeset exported_secure_prop_34_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_34_0 (exported_system_prop))
+(typeattributeset external_vibrator_service_34_0 (external_vibrator_service))
+(typeattributeset extra_free_kbytes_34_0 (extra_free_kbytes))
+(typeattributeset extra_free_kbytes_exec_34_0 (extra_free_kbytes_exec))
+(typeattributeset face_service_34_0 (face_service))
+(typeattributeset face_vendor_data_file_34_0 (face_vendor_data_file))
+(typeattributeset fastbootd_34_0 (fastbootd))
+(typeattributeset ffs_config_prop_34_0 (ffs_config_prop))
+(typeattributeset ffs_control_prop_34_0 (ffs_control_prop))
+(typeattributeset file_contexts_file_34_0 (file_contexts_file))
+(typeattributeset file_integrity_service_34_0 (file_integrity_service))
+(typeattributeset fingerprint_prop_34_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_34_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_34_0 (fingerprint_vendor_data_file))
+(typeattributeset fingerprintd_34_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_34_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_34_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_34_0 (fingerprintd_service))
+(typeattributeset firstboot_prop_34_0 (firstboot_prop))
+(typeattributeset flags_health_check_34_0 (flags_health_check))
+(typeattributeset flags_health_check_exec_34_0 (flags_health_check_exec))
+(typeattributeset font_service_34_0 (font_service))
+(typeattributeset framework_status_prop_34_0 (framework_status_prop))
+(typeattributeset framework_watchdog_config_prop_34_0 (framework_watchdog_config_prop))
+(typeattributeset frp_block_device_34_0 (frp_block_device))
+(typeattributeset fs_bpf_34_0 (fs_bpf))
+(typeattributeset fs_bpf_tethering_34_0 (fs_bpf_tethering))
+(typeattributeset fs_bpf_vendor_34_0 (fs_bpf_vendor))
+(typeattributeset fsck_34_0 (fsck))
+(typeattributeset fsck_exec_34_0 (fsck_exec))
+(typeattributeset fsck_untrusted_34_0 (fsck_untrusted))
+(typeattributeset fscklogs_34_0 (fscklogs))
+(typeattributeset functionfs_34_0 (functionfs))
+(typeattributeset fuse_34_0 (fuse))
+(typeattributeset fuse_device_34_0 (fuse_device))
+(typeattributeset fuseblk_34_0 (fuseblk))
+(typeattributeset fusectlfs_34_0 (fusectlfs))
+(typeattributeset future_pm_prop_34_0 (future_pm_prop))
+(typeattributeset fwk_altitude_service_34_0 (fwk_altitude_service))
+(typeattributeset fwk_automotive_display_hwservice_34_0 (fwk_automotive_display_hwservice))
+(typeattributeset fwk_automotive_display_service_34_0 (fwk_automotive_display_service))
+(typeattributeset fwk_bufferhub_hwservice_34_0 (fwk_bufferhub_hwservice))
+(typeattributeset fwk_camera_hwservice_34_0 (fwk_camera_hwservice))
+(typeattributeset fwk_camera_service_34_0 (fwk_camera_service))
+(typeattributeset fwk_display_hwservice_34_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_34_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_34_0 (fwk_sensor_hwservice))
+(typeattributeset fwk_sensor_service_34_0 (fwk_sensor_service))
+(typeattributeset fwk_stats_hwservice_34_0 (fwk_stats_hwservice))
+(typeattributeset fwk_stats_service_34_0 (fwk_stats_service))
+(typeattributeset fwmarkd_socket_34_0 (fwmarkd_socket))
+(typeattributeset game_mode_intervention_list_file_34_0 (game_mode_intervention_list_file))
+(typeattributeset game_service_34_0 (game_service))
+(typeattributeset gatekeeper_data_file_34_0 (gatekeeper_data_file))
+(typeattributeset gatekeeper_service_34_0 (gatekeeper_service))
+(typeattributeset gatekeeperd_34_0 (gatekeeperd))
+(typeattributeset gatekeeperd_exec_34_0 (gatekeeperd_exec))
+(typeattributeset gesture_prop_34_0 (gesture_prop))
+(typeattributeset gfxinfo_service_34_0 (gfxinfo_service))
+(typeattributeset gmscore_app_34_0 (gmscore_app))
+(typeattributeset gnss_device_34_0 (gnss_device))
+(typeattributeset gnss_time_update_service_34_0 (gnss_time_update_service))
+(typeattributeset gps_control_34_0 (gps_control))
+(typeattributeset gpu_device_34_0 (gpu_device))
+(typeattributeset gpu_service_34_0 (gpu_service))
+(typeattributeset gpuservice_34_0 (gpuservice))
+(typeattributeset grammatical_inflection_service_34_0 (grammatical_inflection_service))
+(typeattributeset graphics_config_prop_34_0 (graphics_config_prop))
+(typeattributeset graphics_config_writable_prop_34_0 (graphics_config_writable_prop))
+(typeattributeset graphics_device_34_0 (graphics_device))
+(typeattributeset graphicsstats_service_34_0 (graphicsstats_service))
+(typeattributeset gsi_data_file_34_0 (gsi_data_file))
+(typeattributeset gsi_metadata_file_34_0 (gsi_metadata_file))
+(typeattributeset gsi_public_metadata_file_34_0 (gsi_public_metadata_file))
+(typeattributeset gwp_asan_prop_34_0 (gwp_asan_prop))
+(typeattributeset hal_atrace_hwservice_34_0 (hal_atrace_hwservice))
+(typeattributeset hal_audio_hwservice_34_0 (hal_audio_hwservice))
+(typeattributeset hal_audio_service_34_0 (hal_audio_service))
+(typeattributeset hal_audiocontrol_hwservice_34_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_audiocontrol_service_34_0 (hal_audiocontrol_service))
+(typeattributeset hal_authsecret_hwservice_34_0 (hal_authsecret_hwservice))
+(typeattributeset hal_authsecret_service_34_0 (hal_authsecret_service))
+(typeattributeset hal_bluetooth_hwservice_34_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bluetooth_service_34_0 (hal_bluetooth_service))
+(typeattributeset hal_bootctl_hwservice_34_0 (hal_bootctl_hwservice))
+(typeattributeset hal_bootctl_service_34_0 (hal_bootctl_service))
+(typeattributeset hal_broadcastradio_hwservice_34_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_broadcastradio_service_34_0 (hal_broadcastradio_service))
+(typeattributeset hal_camera_hwservice_34_0 (hal_camera_hwservice))
+(typeattributeset hal_camera_service_34_0 (hal_camera_service))
+(typeattributeset hal_can_bus_hwservice_34_0 (hal_can_bus_hwservice))
+(typeattributeset hal_can_controller_hwservice_34_0 (hal_can_controller_hwservice))
+(typeattributeset hal_can_controller_service_34_0 (hal_can_controller_service))
+(typeattributeset hal_cas_hwservice_34_0 (hal_cas_hwservice))
+(typeattributeset hal_cas_service_34_0 (hal_cas_service))
+(typeattributeset hal_codec2_hwservice_34_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_34_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_34_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_confirmationui_service_34_0 (hal_confirmationui_service))
+(typeattributeset hal_contexthub_hwservice_34_0 (hal_contexthub_hwservice))
+(typeattributeset hal_contexthub_service_34_0 (hal_contexthub_service))
+(typeattributeset hal_drm_hwservice_34_0 (hal_drm_hwservice))
+(typeattributeset hal_drm_service_34_0 (hal_drm_service))
+(typeattributeset hal_dumpstate_config_prop_34_0 (hal_dumpstate_config_prop))
+(typeattributeset hal_dumpstate_hwservice_34_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_dumpstate_service_34_0 (hal_dumpstate_service))
+(typeattributeset hal_evs_hwservice_34_0 (hal_evs_hwservice))
+(typeattributeset hal_evs_service_34_0 (hal_evs_service))
+(typeattributeset hal_face_hwservice_34_0 (hal_face_hwservice))
+(typeattributeset hal_face_service_34_0 (hal_face_service))
+(typeattributeset hal_fastboot_service_34_0 (hal_fastboot_service))
+(typeattributeset hal_fingerprint_hwservice_34_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_34_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_34_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gatekeeper_service_34_0 (hal_gatekeeper_service))
+(typeattributeset hal_gnss_hwservice_34_0 (hal_gnss_hwservice))
+(typeattributeset hal_gnss_service_34_0 (hal_gnss_service))
+(typeattributeset hal_graphics_allocator_hwservice_34_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_allocator_service_34_0 (hal_graphics_allocator_service))
+(typeattributeset hal_graphics_composer_hwservice_34_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_composer_server_tmpfs_34_0 (hal_graphics_composer_server_tmpfs))
+(typeattributeset hal_graphics_composer_service_34_0 (hal_graphics_composer_service))
+(typeattributeset hal_graphics_mapper_hwservice_34_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_34_0 (hal_health_hwservice))
+(typeattributeset hal_health_service_34_0 (hal_health_service))
+(typeattributeset hal_health_storage_hwservice_34_0 (hal_health_storage_hwservice))
+(typeattributeset hal_health_storage_service_34_0 (hal_health_storage_service))
+(typeattributeset hal_identity_service_34_0 (hal_identity_service))
+(typeattributeset hal_input_classifier_hwservice_34_0 (hal_input_classifier_hwservice))
+(typeattributeset hal_input_processor_service_34_0 (hal_input_processor_service))
+(typeattributeset hal_instrumentation_prop_34_0 (hal_instrumentation_prop))
+(typeattributeset hal_ir_hwservice_34_0 (hal_ir_hwservice))
+(typeattributeset hal_ir_service_34_0 (hal_ir_service))
+(typeattributeset hal_ivn_service_34_0 (hal_ivn_service))
+(typeattributeset hal_keymaster_hwservice_34_0 (hal_keymaster_hwservice))
+(typeattributeset hal_keymint_service_34_0 (hal_keymint_service))
+(typeattributeset hal_light_hwservice_34_0 (hal_light_hwservice))
+(typeattributeset hal_light_service_34_0 (hal_light_service))
+(typeattributeset hal_lowpan_hwservice_34_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_34_0 (hal_memtrack_hwservice))
+(typeattributeset hal_memtrack_service_34_0 (hal_memtrack_service))
+(typeattributeset hal_neuralnetworks_hwservice_34_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_neuralnetworks_service_34_0 (hal_neuralnetworks_service))
+(typeattributeset hal_nfc_hwservice_34_0 (hal_nfc_hwservice))
+(typeattributeset hal_nfc_service_34_0 (hal_nfc_service))
+(typeattributeset hal_nlinterceptor_service_34_0 (hal_nlinterceptor_service))
+(typeattributeset hal_oemlock_hwservice_34_0 (hal_oemlock_hwservice))
+(typeattributeset hal_oemlock_service_34_0 (hal_oemlock_service))
+(typeattributeset hal_omx_hwservice_34_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_34_0 (hal_power_hwservice))
+(typeattributeset hal_power_service_34_0 (hal_power_service))
+(typeattributeset hal_power_stats_hwservice_34_0 (hal_power_stats_hwservice))
+(typeattributeset hal_power_stats_service_34_0 (hal_power_stats_service))
+(typeattributeset hal_radio_service_34_0 (hal_radio_service))
+(typeattributeset hal_rebootescrow_service_34_0 (hal_rebootescrow_service))
+(typeattributeset hal_remoteaccess_service_34_0 (hal_remoteaccess_service))
+(typeattributeset hal_remotelyprovisionedcomponent_service_34_0 (hal_remotelyprovisionedcomponent_service))
+(typeattributeset hal_renderscript_hwservice_34_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_34_0 (hal_secure_element_hwservice))
+(typeattributeset hal_secure_element_service_34_0 (hal_secure_element_service))
+(typeattributeset hal_secureclock_service_34_0 (hal_secureclock_service))
+(typeattributeset hal_sensors_hwservice_34_0 (hal_sensors_hwservice))
+(typeattributeset hal_sensors_service_34_0 (hal_sensors_service))
+(typeattributeset hal_sharedsecret_service_34_0 (hal_sharedsecret_service))
+(typeattributeset hal_system_suspend_service_34_0 (hal_system_suspend_service))
+(typeattributeset hal_telephony_hwservice_34_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_34_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_tetheroffload_service_34_0 (hal_tetheroffload_service))
+(typeattributeset hal_thermal_hwservice_34_0 (hal_thermal_hwservice))
+(typeattributeset hal_thermal_service_34_0 (hal_thermal_service))
+(typeattributeset hal_tv_cec_hwservice_34_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_hdmi_cec_service_34_0 (hal_tv_hdmi_cec_service))
+(typeattributeset hal_tv_hdmi_connection_service_34_0 (hal_tv_hdmi_connection_service))
+(typeattributeset hal_tv_hdmi_earc_service_34_0 (hal_tv_hdmi_earc_service))
+(typeattributeset hal_tv_input_hwservice_34_0 (hal_tv_input_hwservice))
+(typeattributeset hal_tv_input_service_34_0 (hal_tv_input_service))
+(typeattributeset hal_tv_tuner_hwservice_34_0 (hal_tv_tuner_hwservice))
+(typeattributeset hal_tv_tuner_service_34_0 (hal_tv_tuner_service))
+(typeattributeset hal_usb_gadget_hwservice_34_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_gadget_service_34_0 (hal_usb_gadget_service))
+(typeattributeset hal_usb_hwservice_34_0 (hal_usb_hwservice))
+(typeattributeset hal_usb_service_34_0 (hal_usb_service))
+(typeattributeset hal_uwb_service_34_0 (hal_uwb_service))
+(typeattributeset hal_vehicle_hwservice_34_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vehicle_service_34_0 (hal_vehicle_service))
+(typeattributeset hal_vibrator_hwservice_34_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vibrator_service_34_0 (hal_vibrator_service))
+(typeattributeset hal_vr_hwservice_34_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_34_0 (hal_weaver_hwservice))
+(typeattributeset hal_weaver_service_34_0 (hal_weaver_service))
+(typeattributeset hal_wifi_hostapd_hwservice_34_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hostapd_service_34_0 (hal_wifi_hostapd_service))
+(typeattributeset hal_wifi_hwservice_34_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_service_34_0 (hal_wifi_service))
+(typeattributeset hal_wifi_supplicant_hwservice_34_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hal_wifi_supplicant_service_34_0 (hal_wifi_supplicant_service))
+(typeattributeset hardware_properties_service_34_0 (hardware_properties_service))
+(typeattributeset hardware_service_34_0 (hardware_service))
+(typeattributeset hci_attach_dev_34_0 (hci_attach_dev))
+(typeattributeset hdmi_config_prop_34_0 (hdmi_config_prop))
+(typeattributeset hdmi_control_service_34_0 (hdmi_control_service))
+(typeattributeset healthconnect_service_34_0 (healthconnect_service))
+(typeattributeset healthd_34_0 (healthd))
+(typeattributeset heapdump_data_file_34_0 (heapdump_data_file))
+(typeattributeset heapprofd_34_0 (heapprofd))
+(typeattributeset heapprofd_enabled_prop_34_0 (heapprofd_enabled_prop))
+(typeattributeset heapprofd_prop_34_0 (heapprofd_prop))
+(typeattributeset heapprofd_socket_34_0 (heapprofd_socket))
+(typeattributeset hidl_allocator_hwservice_34_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_34_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_34_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_34_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_34_0 (hidl_token_hwservice))
+(typeattributeset hint_service_34_0 (hint_service))
+(typeattributeset hw_random_device_34_0 (hw_random_device))
+(typeattributeset hw_timeout_multiplier_prop_34_0 (hw_timeout_multiplier_prop))
+(typeattributeset hwbinder_device_34_0 (hwbinder_device))
+(typeattributeset hwservice_contexts_file_34_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_34_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_34_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_34_0 (hwservicemanager_prop))
+(typeattributeset hypervisor_prop_34_0 (hypervisor_prop))
+(typeattributeset hypervisor_restricted_prop_34_0 (hypervisor_restricted_prop))
+(typeattributeset icon_file_34_0 (icon_file))
+(typeattributeset idmap_34_0 (idmap))
+(typeattributeset idmap_exec_34_0 (idmap_exec))
+(typeattributeset idmap_service_34_0 (idmap_service))
+(typeattributeset iio_device_34_0 (iio_device))
+(typeattributeset imms_service_34_0 (imms_service))
+(typeattributeset incident_34_0 (incident))
+(typeattributeset incident_data_file_34_0 (incident_data_file))
+(typeattributeset incident_helper_34_0 (incident_helper))
+(typeattributeset incident_service_34_0 (incident_service))
+(typeattributeset incidentd_34_0 (incidentd))
+(typeattributeset incremental_control_file_34_0 (incremental_control_file))
+(typeattributeset incremental_prop_34_0 (incremental_prop))
+(typeattributeset incremental_service_34_0 (incremental_service))
+(typeattributeset init_34_0 (init))
+(typeattributeset init_exec_34_0 (init_exec))
+(typeattributeset init_service_status_prop_34_0 (init_service_status_prop))
+(typeattributeset init_tmpfs_34_0 (init_tmpfs))
+(typeattributeset inotify_34_0 (inotify))
+(typeattributeset input_device_34_0 (input_device))
+(typeattributeset input_method_service_34_0 (input_method_service))
+(typeattributeset input_service_34_0 (input_service))
+(typeattributeset inputflinger_34_0 (inputflinger))
+(typeattributeset inputflinger_exec_34_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_34_0 (inputflinger_service))
+(typeattributeset install_data_file_34_0 (install_data_file))
+(typeattributeset installd_34_0 (installd))
+(typeattributeset installd_exec_34_0 (installd_exec))
+(typeattributeset installd_service_34_0 (installd_service))
+(typeattributeset ion_device_34_0 (ion_device))
+(typeattributeset ipsec_service_34_0 (ipsec_service))
+(typeattributeset iris_service_34_0 (iris_service))
+(typeattributeset iris_vendor_data_file_34_0 (iris_vendor_data_file))
+(typeattributeset isolated_app_34_0 (isolated_app))
+(typeattributeset isolated_compute_app_34_0 (isolated_compute_app))
+(typeattributeset jobscheduler_service_34_0 (jobscheduler_service))
+(typeattributeset kernel_34_0 (kernel))
+(typeattributeset keychain_data_file_34_0 (keychain_data_file))
+(typeattributeset keychord_device_34_0 (keychord_device))
+(typeattributeset keyguard_config_prop_34_0 (keyguard_config_prop))
+(typeattributeset keystore2_key_contexts_file_34_0 (keystore2_key_contexts_file))
+(typeattributeset keystore_34_0 (keystore))
+(typeattributeset keystore_compat_hal_service_34_0 (keystore_compat_hal_service))
+(typeattributeset keystore_config_prop_34_0 (keystore_config_prop))
+(typeattributeset keystore_data_file_34_0 (keystore_data_file))
+(typeattributeset keystore_exec_34_0 (keystore_exec))
+(typeattributeset keystore_maintenance_service_34_0 (keystore_maintenance_service))
+(typeattributeset keystore_metrics_service_34_0 (keystore_metrics_service))
+(typeattributeset keystore_service_34_0 (keystore_service))
+(typeattributeset kmsg_debug_device_34_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_34_0 (kmsg_device))
+(typeattributeset labeledfs_34_0 (labeledfs))
+(typeattributeset launcherapps_service_34_0 (launcherapps_service))
+(typeattributeset legacy_permission_service_34_0 (legacy_permission_service))
+(typeattributeset legacykeystore_service_34_0 (legacykeystore_service))
+(typeattributeset libc_debug_prop_34_0 (libc_debug_prop))
+(typeattributeset light_service_34_0 (light_service))
+(typeattributeset linkerconfig_file_34_0 (linkerconfig_file))
+(typeattributeset llkd_34_0 (llkd))
+(typeattributeset llkd_exec_34_0 (llkd_exec))
+(typeattributeset llkd_prop_34_0 (llkd_prop))
+(typeattributeset lmkd_34_0 (lmkd))
+(typeattributeset lmkd_config_prop_34_0 (lmkd_config_prop))
+(typeattributeset lmkd_exec_34_0 (lmkd_exec))
+(typeattributeset lmkd_prop_34_0 (lmkd_prop))
+(typeattributeset lmkd_socket_34_0 (lmkd_socket))
+(typeattributeset locale_prop_34_0 (locale_prop))
+(typeattributeset locale_service_34_0 (locale_service))
+(typeattributeset location_service_34_0 (location_service))
+(typeattributeset location_time_zone_manager_service_34_0 (location_time_zone_manager_service))
+(typeattributeset lock_settings_service_34_0 (lock_settings_service))
+(typeattributeset log_prop_34_0 (log_prop))
+(typeattributeset log_tag_prop_34_0 (log_tag_prop))
+(typeattributeset logcat_exec_34_0 (logcat_exec))
+(typeattributeset logd_34_0 (logd))
+(typeattributeset logd_exec_34_0 (logd_exec))
+(typeattributeset logd_prop_34_0 (logd_prop))
+(typeattributeset logd_socket_34_0 (logd_socket))
+(typeattributeset logdr_socket_34_0 (logdr_socket))
+(typeattributeset logdw_socket_34_0 (logdw_socket))
+(typeattributeset logpersist_34_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_34_0 (logpersistd_logging_prop))
+(typeattributeset loop_control_device_34_0 (loop_control_device))
+(typeattributeset loop_device_34_0 (loop_device))
+(typeattributeset looper_stats_service_34_0 (looper_stats_service))
+(typeattributeset lowpan_device_34_0 (lowpan_device))
+(typeattributeset lowpan_prop_34_0 (lowpan_prop))
+(typeattributeset lpdump_service_34_0 (lpdump_service))
+(typeattributeset lpdumpd_prop_34_0 (lpdumpd_prop))
+(typeattributeset mac_perms_file_34_0 (mac_perms_file))
+(typeattributeset mdns_service_34_0 (mdns_service))
+(typeattributeset mdns_socket_34_0 (mdns_socket))
+(typeattributeset mdnsd_34_0 (mdnsd))
+(typeattributeset mdnsd_socket_34_0 (mdnsd_socket))
+(typeattributeset media_communication_service_34_0 (media_communication_service))
+(typeattributeset media_config_prop_34_0 (media_config_prop))
+(typeattributeset media_data_file_34_0 (media_data_file))
+(typeattributeset media_metrics_service_34_0 (media_metrics_service))
+(typeattributeset media_projection_service_34_0 (media_projection_service))
+(typeattributeset media_router_service_34_0 (media_router_service))
+(typeattributeset media_rw_data_file_34_0 (media_rw_data_file))
+(typeattributeset media_session_service_34_0 (media_session_service))
+(typeattributeset media_userdir_file_34_0 (media_userdir_file))
+(typeattributeset media_variant_prop_34_0 (media_variant_prop))
+(typeattributeset mediadrm_config_prop_34_0 (mediadrm_config_prop))
+(typeattributeset mediadrmserver_34_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_34_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_34_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_34_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_34_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_34_0 (mediaextractor_service))
+(typeattributeset mediaextractor_tmpfs_34_0 (mediaextractor_tmpfs))
+(typeattributeset mediametrics_34_0 (mediametrics))
+(typeattributeset mediametrics_exec_34_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_34_0 (mediametrics_service))
+(typeattributeset mediaprovider_34_0 (mediaprovider))
+(typeattributeset mediaserver_34_0 (mediaserver))
+(typeattributeset mediaserver_exec_34_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_34_0 (mediaserver_service))
+(typeattributeset mediaserver_tmpfs_34_0 (mediaserver_tmpfs))
+(typeattributeset mediaswcodec_34_0 (mediaswcodec))
+(typeattributeset mediaswcodec_exec_34_0 (mediaswcodec_exec))
+(typeattributeset mediatranscoding_34_0 (mediatranscoding))
+(typeattributeset mediatranscoding_service_34_0 (mediatranscoding_service))
+(typeattributeset meminfo_service_34_0 (meminfo_service))
+(typeattributeset memtrackproxy_service_34_0 (memtrackproxy_service))
+(typeattributeset metadata_block_device_34_0 (metadata_block_device))
+(typeattributeset metadata_bootstat_file_34_0 (metadata_bootstat_file))
+(typeattributeset metadata_file_34_0 (metadata_file))
+(typeattributeset method_trace_data_file_34_0 (method_trace_data_file))
+(typeattributeset midi_service_34_0 (midi_service))
+(typeattributeset mirror_data_file_34_0 (mirror_data_file))
+(typeattributeset misc_block_device_34_0 (misc_block_device))
+(typeattributeset misc_logd_file_34_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_34_0 (misc_user_data_file))
+(typeattributeset mm_events_config_prop_34_0 (mm_events_config_prop))
+(typeattributeset mmc_prop_34_0 (mmc_prop))
+(typeattributeset mnt_expand_file_34_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_34_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_34_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_pass_through_file_34_0 (mnt_pass_through_file))
+(typeattributeset mnt_product_file_34_0 (mnt_product_file))
+(typeattributeset mnt_sdcard_file_34_0 (mnt_sdcard_file))
+(typeattributeset mnt_user_file_34_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_34_0 (mnt_vendor_file))
+(typeattributeset mock_ota_prop_34_0 (mock_ota_prop))
+(typeattributeset modprobe_34_0 (modprobe))
+(typeattributeset module_sdkextensions_prop_34_0 (module_sdkextensions_prop))
+(typeattributeset mount_service_34_0 (mount_service))
+(typeattributeset mqueue_34_0 (mqueue))
+(typeattributeset mtp_34_0 (mtp))
+(typeattributeset mtp_device_34_0 (mtp_device))
+(typeattributeset mtp_exec_34_0 (mtp_exec))
+(typeattributeset mtpd_socket_34_0 (mtpd_socket))
+(typeattributeset music_recognition_service_34_0 (music_recognition_service))
+(typeattributeset nativetest_data_file_34_0 (nativetest_data_file))
+(typeattributeset nearby_service_34_0 (nearby_service))
+(typeattributeset net_data_file_34_0 (net_data_file))
+(typeattributeset net_dns_prop_34_0 (net_dns_prop))
+(typeattributeset net_radio_prop_34_0 (net_radio_prop))
+(typeattributeset netd_34_0 (netd))
+(typeattributeset netd_exec_34_0 (netd_exec))
+(typeattributeset netd_listener_service_34_0 (netd_listener_service))
+(typeattributeset netd_service_34_0 (netd_service))
+(typeattributeset netif_34_0 (netif))
+(typeattributeset netpolicy_service_34_0 (netpolicy_service))
+(typeattributeset netstats_service_34_0 (netstats_service))
+(typeattributeset netutils_wrapper_34_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_34_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_34_0 (network_management_service))
+(typeattributeset network_score_service_34_0 (network_score_service))
+(typeattributeset network_stack_34_0 (network_stack))
+(typeattributeset network_stack_service_34_0 (network_stack_service))
+(typeattributeset network_time_update_service_34_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_34_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_34_0 (network_watchlist_service))
+(typeattributeset nfc_34_0 (nfc))
+(typeattributeset nfc_data_file_34_0 (nfc_data_file))
+(typeattributeset nfc_device_34_0 (nfc_device))
+(typeattributeset nfc_logs_data_file_34_0 (nfc_logs_data_file))
+(typeattributeset nfc_prop_34_0 (nfc_prop))
+(typeattributeset nfc_service_34_0 (nfc_service))
+(typeattributeset nnapi_ext_deny_product_prop_34_0 (nnapi_ext_deny_product_prop))
+(typeattributeset node_34_0 (node))
+(typeattributeset notification_service_34_0 (notification_service))
+(typeattributeset null_device_34_0 (null_device))
+(typeattributeset oem_lock_service_34_0 (oem_lock_service))
+(typeattributeset oem_unlock_prop_34_0 (oem_unlock_prop))
+(typeattributeset oemfs_34_0 (oemfs))
+(typeattributeset ondevicepersonalization_system_service_34_0 (ondevicepersonalization_system_service))
+(typeattributeset ota_data_file_34_0 (ota_data_file))
+(typeattributeset ota_metadata_file_34_0 (ota_metadata_file))
+(typeattributeset ota_package_file_34_0 (ota_package_file))
+(typeattributeset ota_prop_34_0 (ota_prop))
+(typeattributeset otadexopt_service_34_0 (otadexopt_service))
+(typeattributeset otapreopt_chroot_34_0 (otapreopt_chroot))
+(typeattributeset overlay_prop_34_0 (overlay_prop))
+(typeattributeset overlay_service_34_0 (overlay_service))
+(typeattributeset overlayfs_file_34_0 (overlayfs_file))
+(typeattributeset owntty_device_34_0 (owntty_device))
+(typeattributeset pac_proxy_service_34_0 (pac_proxy_service))
+(typeattributeset package_native_service_34_0 (package_native_service))
+(typeattributeset package_service_34_0 (package_service))
+(typeattributeset packagemanager_config_prop_34_0 (packagemanager_config_prop))
+(typeattributeset packages_list_file_34_0 (packages_list_file))
+(typeattributeset pan_result_prop_34_0 (pan_result_prop))
+(typeattributeset password_slot_metadata_file_34_0 (password_slot_metadata_file))
+(typeattributeset pdx_bufferhub_client_channel_socket_34_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_34_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_34_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_34_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_34_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_34_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_34_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_34_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_34_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_34_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_34_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_34_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_34_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_34_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_34_0 (pdx_performance_dir))
+(typeattributeset people_service_34_0 (people_service))
+(typeattributeset perfetto_34_0 (perfetto))
+(typeattributeset performanced_34_0 (performanced))
+(typeattributeset performanced_exec_34_0 (performanced_exec))
+(typeattributeset permission_checker_service_34_0 (permission_checker_service))
+(typeattributeset permission_service_34_0 (permission_service))
+(typeattributeset permissionmgr_service_34_0 (permissionmgr_service))
+(typeattributeset permissive_mte_prop_34_0 (permissive_mte_prop))
+(typeattributeset persist_debug_prop_34_0 (persist_debug_prop))
+(typeattributeset persist_vendor_debug_wifi_prop_34_0 (persist_vendor_debug_wifi_prop))
+(typeattributeset persist_wm_debug_prop_34_0 (persist_wm_debug_prop))
+(typeattributeset persistent_data_block_service_34_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_34_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_34_0 (pinner_service))
+(typeattributeset pipefs_34_0 (pipefs))
+(typeattributeset platform_app_34_0 (platform_app))
+(typeattributeset platform_compat_service_34_0 (platform_compat_service))
+(typeattributeset pmsg_device_34_0 (pmsg_device))
+(typeattributeset port_34_0 (port))
+(typeattributeset port_device_34_0 (port_device))
+(typeattributeset postinstall_34_0 (postinstall))
+(typeattributeset postinstall_apex_mnt_dir_34_0 (postinstall_apex_mnt_dir))
+(typeattributeset postinstall_file_34_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_34_0 (postinstall_mnt_dir))
+(typeattributeset power_debug_prop_34_0 (power_debug_prop))
+(typeattributeset power_service_34_0 (power_service))
+(typeattributeset powerctl_prop_34_0 (powerctl_prop))
+(typeattributeset powerstats_service_34_0 (powerstats_service))
+(typeattributeset ppp_34_0 (ppp))
+(typeattributeset ppp_device_34_0 (ppp_device))
+(typeattributeset ppp_exec_34_0 (ppp_exec))
+(typeattributeset preloads_data_file_34_0 (preloads_data_file))
+(typeattributeset preloads_media_file_34_0 (preloads_media_file))
+(typeattributeset prereboot_data_file_34_0 (prereboot_data_file))
+(typeattributeset print_service_34_0 (print_service))
+(typeattributeset priv_app_34_0 (priv_app))
+(typeattributeset privapp_data_file_34_0 (privapp_data_file))
+(typeattributeset prng_seeder_34_0 (prng_seeder))
+(typeattributeset proc_34_0 (proc))
+(typeattributeset proc_abi_34_0 (proc_abi))
+(typeattributeset proc_asound_34_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_34_0 (proc_bluetooth_writable))
+(typeattributeset proc_bootconfig_34_0 (proc_bootconfig))
+(typeattributeset proc_bpf_34_0 (proc_bpf))
+(typeattributeset proc_buddyinfo_34_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_34_0 (proc_cmdline))
+(typeattributeset proc_cpu_alignment_34_0 (proc_cpu_alignment))
+(typeattributeset proc_cpuinfo_34_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_34_0 (proc_dirty))
+(typeattributeset proc_diskstats_34_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_34_0 (proc_drop_caches))
+(typeattributeset proc_extra_free_kbytes_34_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_34_0 (proc_filesystems))
+(typeattributeset proc_fs_verity_34_0 (proc_fs_verity))
+(typeattributeset proc_hostname_34_0 (proc_hostname))
+(typeattributeset proc_hung_task_34_0 (proc_hung_task))
+(typeattributeset proc_interrupts_34_0 (proc_interrupts))
+(typeattributeset proc_iomem_34_0 (proc_iomem))
+(typeattributeset proc_kallsyms_34_0 (proc_kallsyms))
+(typeattributeset proc_keys_34_0 (proc_keys))
+(typeattributeset proc_kmsg_34_0 (proc_kmsg))
+(typeattributeset proc_kpageflags_34_0 (proc_kpageflags))
+(typeattributeset proc_loadavg_34_0 (proc_loadavg))
+(typeattributeset proc_locks_34_0 (proc_locks))
+(typeattributeset proc_lowmemorykiller_34_0 (proc_lowmemorykiller))
+(typeattributeset proc_max_map_count_34_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_34_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_34_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_34_0 (proc_misc))
+(typeattributeset proc_modules_34_0 (proc_modules))
+(typeattributeset proc_mounts_34_0 (proc_mounts))
+(typeattributeset proc_net_34_0 (proc_net))
+(typeattributeset proc_net_tcp_udp_34_0 (proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_34_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_34_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_34_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_34_0 (proc_panic))
+(typeattributeset proc_perf_34_0 (proc_perf))
+(typeattributeset proc_pid_max_34_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_34_0 (proc_pipe_conf))
+(typeattributeset proc_pressure_cpu_34_0 (proc_pressure_cpu))
+(typeattributeset proc_pressure_io_34_0 (proc_pressure_io))
+(typeattributeset proc_pressure_mem_34_0 (proc_pressure_mem))
+(typeattributeset proc_qtaguid_ctrl_34_0 (proc_qtaguid_ctrl))
+(typeattributeset proc_qtaguid_stat_34_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_34_0 (proc_random))
+(typeattributeset proc_sched_34_0 (proc_sched))
+(typeattributeset proc_security_34_0 (proc_security))
+(typeattributeset proc_slabinfo_34_0 (proc_slabinfo))
+(typeattributeset proc_stat_34_0 (proc_stat))
+(typeattributeset proc_swaps_34_0 (proc_swaps))
+(typeattributeset proc_sysrq_34_0 (proc_sysrq))
+(typeattributeset proc_timer_34_0 (proc_timer))
+(typeattributeset proc_tty_drivers_34_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_34_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_34_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_34_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_34_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_34_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_34_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_34_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_34_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_34_0 (proc_uptime))
+(typeattributeset proc_vendor_sched_34_0 (proc_vendor_sched))
+(typeattributeset proc_version_34_0 (proc_version))
+(typeattributeset proc_vmallocinfo_34_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_34_0 (proc_vmstat))
+(typeattributeset proc_watermark_boost_factor_34_0 (proc_watermark_boost_factor))
+(typeattributeset proc_watermark_scale_factor_34_0 (proc_watermark_scale_factor))
+(typeattributeset proc_zoneinfo_34_0 (proc_zoneinfo))
+(typeattributeset processinfo_service_34_0 (processinfo_service))
+(typeattributeset procstats_service_34_0 (procstats_service))
+(typeattributeset profman_34_0 (profman))
+(typeattributeset profman_dump_data_file_34_0 (profman_dump_data_file))
+(typeattributeset profman_exec_34_0 (profman_exec))
+(typeattributeset properties_device_34_0 (properties_device))
+(typeattributeset properties_serial_34_0 (properties_serial))
+(typeattributeset property_contexts_file_34_0 (property_contexts_file))
+(typeattributeset property_data_file_34_0 (property_data_file))
+(typeattributeset property_info_34_0 (property_info))
+(typeattributeset property_service_version_prop_34_0 (property_service_version_prop))
+(typeattributeset property_socket_34_0 (property_socket))
+(typeattributeset provisioned_prop_34_0 (provisioned_prop))
+(typeattributeset pstorefs_34_0 (pstorefs))
+(typeattributeset ptmx_device_34_0 (ptmx_device))
+(typeattributeset qemu_hw_prop_34_0 (qemu_hw_prop))
+(typeattributeset qemu_sf_lcd_density_prop_34_0 (qemu_sf_lcd_density_prop))
+(typeattributeset qtaguid_device_34_0 (qtaguid_device))
+(typeattributeset quick_start_prop_34_0 (quick_start_prop))
+(typeattributeset racoon_34_0 (racoon))
+(typeattributeset racoon_exec_34_0 (racoon_exec))
+(typeattributeset racoon_socket_34_0 (racoon_socket))
+(typeattributeset radio_34_0 (radio))
+(typeattributeset radio_control_prop_34_0 (radio_control_prop))
+(typeattributeset radio_core_data_file_34_0 (radio_core_data_file))
+(typeattributeset radio_data_file_34_0 (radio_data_file))
+(typeattributeset radio_device_34_0 (radio_device))
+(typeattributeset radio_prop_34_0 (radio_prop))
+(typeattributeset radio_service_34_0 (radio_service))
+(typeattributeset ram_device_34_0 (ram_device))
+(typeattributeset random_device_34_0 (random_device))
+(typeattributeset reboot_readiness_service_34_0 (reboot_readiness_service))
+(typeattributeset rebootescrow_hal_prop_34_0 (rebootescrow_hal_prop))
+(typeattributeset recovery_34_0 (recovery))
+(typeattributeset recovery_block_device_34_0 (recovery_block_device))
+(typeattributeset recovery_config_prop_34_0 (recovery_config_prop))
+(typeattributeset recovery_data_file_34_0 (recovery_data_file))
+(typeattributeset recovery_persist_34_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_34_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_34_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_34_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_34_0 (recovery_service))
+(typeattributeset recovery_socket_34_0 (recovery_socket))
+(typeattributeset recovery_usb_config_prop_34_0 (recovery_usb_config_prop))
+(typeattributeset registry_service_34_0 (registry_service))
+(typeattributeset remote_provisioning_service_34_0 (remote_provisioning_service))
+(typeattributeset resourcecache_data_file_34_0 (resourcecache_data_file))
+(typeattributeset resources_manager_service_34_0 (resources_manager_service))
+(typeattributeset restorecon_prop_34_0 (restorecon_prop))
+(typeattributeset restrictions_service_34_0 (restrictions_service))
+(typeattributeset retaildemo_prop_34_0 (retaildemo_prop))
+(typeattributeset rild_debug_socket_34_0 (rild_debug_socket))
+(typeattributeset rild_socket_34_0 (rild_socket))
+(typeattributeset ringtone_file_34_0 (ringtone_file))
+(typeattributeset rkpdapp_34_0 (rkpdapp))
+(typeattributeset role_service_34_0 (role_service))
+(typeattributeset rollback_service_34_0 (rollback_service))
+(typeattributeset root_block_device_34_0 (root_block_device))
+(typeattributeset rootdisk_sysdev_34_0 (rootdisk_sysdev))
+(typeattributeset rootfs_34_0 (rootfs))
+(typeattributeset rpmsg_device_34_0 (rpmsg_device))
+(typeattributeset rs_34_0 (rs))
+(typeattributeset rs_exec_34_0 (rs_exec))
+(typeattributeset rss_hwm_reset_34_0 (rss_hwm_reset))
+(typeattributeset rtc_device_34_0 (rtc_device))
+(typeattributeset rttmanager_service_34_0 (rttmanager_service))
+(typeattributeset runas_34_0 (runas))
+(typeattributeset runas_app_34_0 (runas_app))
+(typeattributeset runas_exec_34_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_34_0 (runtime_event_log_tags_file))
+(typeattributeset runtime_service_34_0 (runtime_service))
+(typeattributeset safemode_prop_34_0 (safemode_prop))
+(typeattributeset same_process_hal_file_34_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_34_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_34_0 (scheduling_policy_service))
+(typeattributeset sdcard_block_device_34_0 (sdcard_block_device))
+(typeattributeset sdcardd_34_0 (sdcardd))
+(typeattributeset sdcardd_exec_34_0 (sdcardd_exec))
+(typeattributeset sdcardfs_34_0 (sdcardfs))
+(typeattributeset sdk_sandbox_service_34_0 (sdk_sandbox_service))
+(typeattributeset seapp_contexts_file_34_0 (seapp_contexts_file))
+(typeattributeset search_service_34_0 (search_service))
+(typeattributeset search_ui_service_34_0 (search_ui_service))
+(typeattributeset sec_key_att_app_id_provider_service_34_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_34_0 (secure_element))
+(typeattributeset secure_element_device_34_0 (secure_element_device))
+(typeattributeset secure_element_service_34_0 (secure_element_service))
+(typeattributeset securityfs_34_0 (securityfs))
+(typeattributeset selection_toolbar_service_34_0 (selection_toolbar_service))
+(typeattributeset selinuxfs_34_0 (selinuxfs))
+(typeattributeset sendbug_config_prop_34_0 (sendbug_config_prop))
+(typeattributeset sensor_privacy_service_34_0 (sensor_privacy_service))
+(typeattributeset sensors_device_34_0 (sensors_device))
+(typeattributeset sensorservice_service_34_0 (sensorservice_service))
+(typeattributeset sepolicy_file_34_0 (sepolicy_file))
+(typeattributeset serial_device_34_0 (serial_device))
+(typeattributeset serial_service_34_0 (serial_service))
+(typeattributeset serialno_prop_34_0 (serialno_prop))
+(typeattributeset server_configurable_flags_data_file_34_0 (server_configurable_flags_data_file))
+(typeattributeset service_contexts_file_34_0 (service_contexts_file))
+(typeattributeset service_manager_service_34_0 (service_manager_service))
+(typeattributeset service_manager_vndservice_34_0 (service_manager_vndservice))
+(typeattributeset servicediscovery_service_34_0 (servicediscovery_service))
+(typeattributeset servicemanager_34_0 (servicemanager))
+(typeattributeset servicemanager_exec_34_0 (servicemanager_exec))
+(typeattributeset servicemanager_prop_34_0 (servicemanager_prop))
+(typeattributeset settings_service_34_0 (settings_service))
+(typeattributeset sgdisk_34_0 (sgdisk))
+(typeattributeset sgdisk_exec_34_0 (sgdisk_exec))
+(typeattributeset shared_relro_34_0 (shared_relro))
+(typeattributeset shared_relro_file_34_0 (shared_relro_file))
+(typeattributeset shell_34_0 (shell))
+(typeattributeset shell_data_file_34_0 (shell_data_file))
+(typeattributeset shell_exec_34_0 (shell_exec))
+(typeattributeset shell_prop_34_0 (shell_prop))
+(typeattributeset shell_test_data_file_34_0 (shell_test_data_file))
+(typeattributeset shm_34_0 (shm))
+(typeattributeset shortcut_manager_icons_34_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_34_0 (shortcut_service))
+(typeattributeset shutdown_checkpoints_system_data_file_34_0 (shutdown_checkpoints_system_data_file))
+(typeattributeset simpleperf_34_0 (simpleperf))
+(typeattributeset simpleperf_app_runner_34_0 (simpleperf_app_runner))
+(typeattributeset simpleperf_app_runner_exec_34_0 (simpleperf_app_runner_exec))
+(typeattributeset slice_service_34_0 (slice_service))
+(typeattributeset slideshow_34_0 (slideshow))
+(typeattributeset smart_idle_maint_enabled_prop_34_0 (smart_idle_maint_enabled_prop))
+(typeattributeset smartspace_service_34_0 (smartspace_service))
+(typeattributeset snapshotctl_log_data_file_34_0 (snapshotctl_log_data_file))
+(typeattributeset snapuserd_proxy_socket_34_0 (snapuserd_proxy_socket))
+(typeattributeset snapuserd_socket_34_0 (snapuserd_socket))
+(typeattributeset soc_prop_34_0 (soc_prop))
+(typeattributeset socket_device_34_0 (socket_device))
+(typeattributeset socket_hook_prop_34_0 (socket_hook_prop))
+(typeattributeset sockfs_34_0 (sockfs))
+(typeattributeset sota_prop_34_0 (sota_prop))
+(typeattributeset soundtrigger_middleware_service_34_0 (soundtrigger_middleware_service))
+(typeattributeset speech_recognition_service_34_0 (speech_recognition_service))
+(typeattributeset sqlite_log_prop_34_0 (sqlite_log_prop))
+(typeattributeset staged_install_file_34_0 (staged_install_file))
+(typeattributeset staging_data_file_34_0 (staging_data_file))
+(typeattributeset stats_config_data_file_34_0 (stats_config_data_file))
+(typeattributeset stats_data_file_34_0 (stats_data_file))
+(typeattributeset statsd_34_0 (statsd))
+(typeattributeset statsd_exec_34_0 (statsd_exec))
+(typeattributeset statsdw_socket_34_0 (statsdw_socket))
+(typeattributeset statusbar_service_34_0 (statusbar_service))
+(typeattributeset storage_config_prop_34_0 (storage_config_prop))
+(typeattributeset storage_file_34_0 (storage_file))
+(typeattributeset storage_stub_file_34_0 (storage_stub_file))
+(typeattributeset storaged_service_34_0 (storaged_service))
+(typeattributeset storagemanager_config_prop_34_0 (storagemanager_config_prop))
+(typeattributeset storagestats_service_34_0 (storagestats_service))
+(typeattributeset su_34_0 (su))
+(typeattributeset su_exec_34_0 (su_exec))
+(typeattributeset super_block_device_34_0 (super_block_device))
+(typeattributeset surfaceflinger_34_0 (surfaceflinger))
+(typeattributeset surfaceflinger_color_prop_34_0 (surfaceflinger_color_prop))
+(typeattributeset surfaceflinger_display_prop_34_0 (surfaceflinger_display_prop))
+(typeattributeset surfaceflinger_prop_34_0 (surfaceflinger_prop))
+(typeattributeset surfaceflinger_service_34_0 (surfaceflinger_service))
+(typeattributeset surfaceflinger_tmpfs_34_0 (surfaceflinger_tmpfs))
+(typeattributeset suspend_prop_34_0 (suspend_prop))
+(typeattributeset swap_block_device_34_0 (swap_block_device))
+(typeattributeset sysfs_34_0 (sysfs))
+(typeattributeset sysfs_android_usb_34_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_34_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_34_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devfreq_cur_34_0 (sysfs_devfreq_cur))
+(typeattributeset sysfs_devfreq_dir_34_0 (sysfs_devfreq_dir))
+(typeattributeset sysfs_devices_block_34_0 (sysfs_devices_block))
+(typeattributeset sysfs_devices_cs_etm_34_0 (sysfs_devices_cs_etm))
+(typeattributeset sysfs_devices_system_cpu_34_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_34_0 (sysfs_dm))
+(typeattributeset sysfs_dm_verity_34_0 (sysfs_dm_verity))
+(typeattributeset sysfs_dma_heap_34_0 (sysfs_dma_heap))
+(typeattributeset sysfs_dmabuf_stats_34_0 (sysfs_dmabuf_stats))
+(typeattributeset sysfs_dt_firmware_android_34_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_extcon_34_0 (sysfs_extcon))
+(typeattributeset sysfs_fs_ext4_features_34_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_fs_f2fs_34_0 (sysfs_fs_f2fs))
+(typeattributeset sysfs_fs_fuse_bpf_34_0 (sysfs_fs_fuse_bpf))
+(typeattributeset sysfs_fs_fuse_features_34_0 (sysfs_fs_fuse_features))
+(typeattributeset sysfs_fs_incfs_features_34_0 (sysfs_fs_incfs_features))
+(typeattributeset sysfs_fs_incfs_metrics_34_0 (sysfs_fs_incfs_metrics))
+(typeattributeset sysfs_gpu_34_0 (sysfs_gpu))
+(typeattributeset sysfs_hwrandom_34_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ion_34_0 (sysfs_ion))
+(typeattributeset sysfs_ipv4_34_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_34_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_34_0 (sysfs_leds))
+(typeattributeset sysfs_loop_34_0 (sysfs_loop))
+(typeattributeset sysfs_lowmemorykiller_34_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_lru_gen_enabled_34_0 (sysfs_lru_gen_enabled))
+(typeattributeset sysfs_net_34_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_34_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_34_0 (sysfs_power))
+(typeattributeset sysfs_rtc_34_0 (sysfs_rtc))
+(typeattributeset sysfs_suspend_stats_34_0 (sysfs_suspend_stats))
+(typeattributeset sysfs_switch_34_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_34_0 (sysfs_thermal))
+(typeattributeset sysfs_transparent_hugepage_34_0 (sysfs_transparent_hugepage))
+(typeattributeset sysfs_uhid_34_0 (sysfs_uhid))
+(typeattributeset sysfs_uio_34_0 (sysfs_uio))
+(typeattributeset sysfs_usb_34_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_34_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vendor_sched_34_0 (sysfs_vendor_sched))
+(typeattributeset sysfs_vibrator_34_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_34_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_34_0 (sysfs_wakeup))
+(typeattributeset sysfs_wakeup_reasons_34_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_34_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_34_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_34_0 (sysfs_zram_uevent))
+(typeattributeset system_app_34_0 (system_app))
+(typeattributeset system_app_data_file_34_0 (system_app_data_file))
+(typeattributeset system_app_service_34_0 (system_app_service))
+(typeattributeset system_asan_options_file_34_0 (system_asan_options_file))
+(typeattributeset system_block_device_34_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_34_0 (system_boot_reason_prop))
+(typeattributeset system_bootstrap_lib_file_34_0 (system_bootstrap_lib_file))
+(typeattributeset system_config_service_34_0 (system_config_service))
+(typeattributeset system_data_file_34_0 (system_data_file))
+(typeattributeset system_data_root_file_34_0 (system_data_root_file))
+(typeattributeset system_dlkm_file_34_0 (system_dlkm_file))
+(typeattributeset system_event_log_tags_file_34_0 (system_event_log_tags_file))
+(typeattributeset system_file_34_0 (system_file))
+(typeattributeset system_group_file_34_0 (system_group_file))
+(typeattributeset system_jvmti_agent_prop_34_0 (system_jvmti_agent_prop))
+(typeattributeset system_lib_file_34_0 (system_lib_file))
+(typeattributeset system_linker_config_file_34_0 (system_linker_config_file))
+(typeattributeset system_linker_exec_34_0 (system_linker_exec))
+(typeattributeset system_lmk_prop_34_0 (system_lmk_prop))
+(typeattributeset system_ndebug_socket_34_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_34_0 (system_net_netd_hwservice))
+(typeattributeset system_net_netd_service_34_0 (system_net_netd_service))
+(typeattributeset system_passwd_file_34_0 (system_passwd_file))
+(typeattributeset system_prop_34_0 (system_prop))
+(typeattributeset system_seccomp_policy_file_34_0 (system_seccomp_policy_file))
+(typeattributeset system_security_cacerts_file_34_0 (system_security_cacerts_file))
+(typeattributeset system_server_34_0 (system_server))
+(typeattributeset system_server_dumper_service_34_0 (system_server_dumper_service))
+(typeattributeset system_server_tmpfs_34_0 (system_server_tmpfs))
+(typeattributeset system_suspend_control_internal_service_34_0 (system_suspend_control_internal_service))
+(typeattributeset system_suspend_control_service_34_0 (system_suspend_control_service))
+(typeattributeset system_suspend_hwservice_34_0 (system_suspend_hwservice))
+(typeattributeset system_trace_prop_34_0 (system_trace_prop))
+(typeattributeset system_unsolzygote_socket_34_0 (system_unsolzygote_socket))
+(typeattributeset system_update_service_34_0 (system_update_service))
+(typeattributeset system_user_mode_emulation_prop_34_0 (system_user_mode_emulation_prop))
+(typeattributeset system_userdir_file_34_0 (system_userdir_file))
+(typeattributeset system_wifi_keystore_hwservice_34_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_34_0 (system_wpa_socket))
+(typeattributeset system_zoneinfo_file_34_0 (system_zoneinfo_file))
+(typeattributeset systemkeys_data_file_34_0 (systemkeys_data_file))
+(typeattributeset systemsound_config_prop_34_0 (systemsound_config_prop))
+(typeattributeset tare_service_34_0 (tare_service))
+(typeattributeset task_profiles_api_file_34_0 (task_profiles_api_file))
+(typeattributeset task_profiles_file_34_0 (task_profiles_file))
+(typeattributeset task_service_34_0 (task_service))
+(typeattributeset tcpdump_exec_34_0 (tcpdump_exec))
+(typeattributeset tee_34_0 (tee))
+(typeattributeset tee_data_file_34_0 (tee_data_file))
+(typeattributeset tee_device_34_0 (tee_device))
+(typeattributeset telecom_service_34_0 (telecom_service))
+(typeattributeset telephony_config_prop_34_0 (telephony_config_prop))
+(typeattributeset telephony_status_prop_34_0 (telephony_status_prop))
+(typeattributeset test_boot_reason_prop_34_0 (test_boot_reason_prop))
+(typeattributeset test_harness_prop_34_0 (test_harness_prop))
+(typeattributeset testharness_service_34_0 (testharness_service))
+(typeattributeset tethering_service_34_0 (tethering_service))
+(typeattributeset textclassification_service_34_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_34_0 (textclassifier_data_file))
+(typeattributeset textservices_service_34_0 (textservices_service))
+(typeattributeset texttospeech_service_34_0 (texttospeech_service))
+(typeattributeset theme_prop_34_0 (theme_prop))
+(typeattributeset thermal_service_34_0 (thermal_service))
+(typeattributeset time_prop_34_0 (time_prop))
+(typeattributeset timedetector_service_34_0 (timedetector_service))
+(typeattributeset timezone_prop_34_0 (timezone_prop))
+(typeattributeset timezonedetector_service_34_0 (timezonedetector_service))
+(typeattributeset tmpfs_34_0 (tmpfs))
+(typeattributeset tombstone_config_prop_34_0 (tombstone_config_prop))
+(typeattributeset tombstone_data_file_34_0 (tombstone_data_file))
+(typeattributeset tombstone_wifi_data_file_34_0 (tombstone_wifi_data_file))
+(typeattributeset tombstoned_34_0 (tombstoned))
+(typeattributeset tombstoned_crash_socket_34_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_34_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_34_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_34_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_34_0 (toolbox))
+(typeattributeset toolbox_exec_34_0 (toolbox_exec))
+(typeattributeset trace_data_file_34_0 (trace_data_file))
+(typeattributeset traced_34_0 (traced))
+(typeattributeset traced_consumer_socket_34_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_34_0 (traced_enabled_prop))
+(typeattributeset traced_lazy_prop_34_0 (traced_lazy_prop))
+(typeattributeset traced_oome_heap_session_count_prop_34_0 (traced_oome_heap_session_count_prop))
+(typeattributeset traced_perf_34_0 (traced_perf))
+(typeattributeset traced_perf_socket_34_0 (traced_perf_socket))
+(typeattributeset traced_probes_34_0 (traced_probes))
+(typeattributeset traced_producer_socket_34_0 (traced_producer_socket))
+(typeattributeset traced_tmpfs_34_0 (traced_tmpfs))
+(typeattributeset traceur_app_34_0 (traceur_app))
+(typeattributeset translation_service_34_0 (translation_service))
+(typeattributeset trust_service_34_0 (trust_service))
+(typeattributeset tty_device_34_0 (tty_device))
+(typeattributeset tun_device_34_0 (tun_device))
+(typeattributeset tuner_config_prop_34_0 (tuner_config_prop))
+(typeattributeset tv_iapp_service_34_0 (tv_iapp_service))
+(typeattributeset tv_input_service_34_0 (tv_input_service))
+(typeattributeset tv_tuner_resource_mgr_service_34_0 (tv_tuner_resource_mgr_service))
+(typeattributeset ublk_block_device_34_0 (ublk_block_device))
+(typeattributeset ublk_control_device_34_0 (ublk_control_device))
+(typeattributeset ueventd_34_0 (ueventd))
+(typeattributeset ueventd_tmpfs_34_0 (ueventd_tmpfs))
+(typeattributeset uhid_device_34_0 (uhid_device))
+(typeattributeset uimode_service_34_0 (uimode_service))
+(typeattributeset uio_device_34_0 (uio_device))
+(typeattributeset uncrypt_34_0 (uncrypt))
+(typeattributeset uncrypt_exec_34_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_34_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_34_0 (unencrypted_data_file))
+(typeattributeset unlabeled_34_0 (unlabeled))
+(typeattributeset untrusted_app_25_34_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_34_0 (untrusted_app_27))
+(typeattributeset untrusted_app_29_34_0 (untrusted_app_29))
+(typeattributeset untrusted_app_30_34_0 (untrusted_app_30))
+(typeattributeset untrusted_app_32_34_0 (untrusted_app_32))
+(typeattributeset untrusted_app_34_0 (untrusted_app))
+(typeattributeset update_engine_34_0 (update_engine))
+(typeattributeset update_engine_data_file_34_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_34_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_34_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_34_0 (update_engine_service))
+(typeattributeset update_engine_stable_service_34_0 (update_engine_stable_service))
+(typeattributeset update_verifier_34_0 (update_verifier))
+(typeattributeset update_verifier_exec_34_0 (update_verifier_exec))
+(typeattributeset updatelock_service_34_0 (updatelock_service))
+(typeattributeset uri_grants_service_34_0 (uri_grants_service))
+(typeattributeset usagestats_service_34_0 (usagestats_service))
+(typeattributeset usb_config_prop_34_0 (usb_config_prop))
+(typeattributeset usb_control_prop_34_0 (usb_control_prop))
+(typeattributeset usb_device_34_0 (usb_device))
+(typeattributeset usb_prop_34_0 (usb_prop))
+(typeattributeset usb_serial_device_34_0 (usb_serial_device))
+(typeattributeset usb_service_34_0 (usb_service))
+(typeattributeset usb_uvc_enabled_prop_34_0 (usb_uvc_enabled_prop))
+(typeattributeset usbaccessory_device_34_0 (usbaccessory_device))
+(typeattributeset usbd_34_0 (usbd))
+(typeattributeset usbd_exec_34_0 (usbd_exec))
+(typeattributeset usbfs_34_0 (usbfs))
+(typeattributeset use_memfd_prop_34_0 (use_memfd_prop))
+(typeattributeset user_profile_data_file_34_0 (user_profile_data_file))
+(typeattributeset user_profile_root_file_34_0 (user_profile_root_file))
+(typeattributeset user_service_34_0 (user_service))
+(typeattributeset userdata_block_device_34_0 (userdata_block_device))
+(typeattributeset userdata_sysdev_34_0 (userdata_sysdev))
+(typeattributeset userdebug_or_eng_prop_34_0 (userdebug_or_eng_prop))
+(typeattributeset usermodehelper_34_0 (usermodehelper))
+(typeattributeset userspace_reboot_config_prop_34_0 (userspace_reboot_config_prop))
+(typeattributeset userspace_reboot_exported_prop_34_0 (userspace_reboot_exported_prop))
+(typeattributeset userspace_reboot_metadata_file_34_0 (userspace_reboot_metadata_file))
+(typeattributeset uwb_service_34_0 (uwb_service))
+(typeattributeset vcn_management_service_34_0 (vcn_management_service))
+(typeattributeset vd_device_34_0 (vd_device))
+(typeattributeset vdc_34_0 (vdc))
+(typeattributeset vdc_exec_34_0 (vdc_exec))
+(typeattributeset vehicle_hal_prop_34_0 (vehicle_hal_prop))
+(typeattributeset vendor_apex_file_34_0 (vendor_apex_file))
+(typeattributeset vendor_app_file_34_0 (vendor_app_file))
+(typeattributeset vendor_cgroup_desc_file_34_0 (vendor_cgroup_desc_file))
+(typeattributeset vendor_configs_file_34_0 (vendor_apex_metadata_file vendor_configs_file))
+(typeattributeset vendor_data_file_34_0 (vendor_data_file))
+(typeattributeset vendor_default_prop_34_0 (vendor_default_prop))
+(typeattributeset vendor_file_34_0 (vendor_file))
+(typeattributeset vendor_framework_file_34_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_34_0 (vendor_hal_file))
+(typeattributeset vendor_idc_file_34_0 (vendor_idc_file))
+(typeattributeset vendor_init_34_0 (vendor_init))
+(typeattributeset vendor_kernel_modules_34_0 (vendor_kernel_modules))
+(typeattributeset vendor_keychars_file_34_0 (vendor_keychars_file))
+(typeattributeset vendor_keylayout_file_34_0 (vendor_keylayout_file))
+(typeattributeset vendor_misc_writer_34_0 (vendor_misc_writer))
+(typeattributeset vendor_misc_writer_exec_34_0 (vendor_misc_writer_exec))
+(typeattributeset vendor_modprobe_34_0 (vendor_modprobe))
+(typeattributeset vendor_overlay_file_34_0 (vendor_overlay_file))
+(typeattributeset vendor_public_framework_file_34_0 (vendor_public_framework_file))
+(typeattributeset vendor_public_lib_file_34_0 (vendor_public_lib_file))
+(typeattributeset vendor_security_patch_level_prop_34_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_service_contexts_file_34_0 (vendor_service_contexts_file))
+(typeattributeset vendor_shell_34_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_34_0 (vendor_shell_exec))
+(typeattributeset vendor_socket_hook_prop_34_0 (vendor_socket_hook_prop))
+(typeattributeset vendor_task_profiles_file_34_0 (vendor_task_profiles_file))
+(typeattributeset vendor_toolbox_exec_34_0 (vendor_toolbox_exec))
+(typeattributeset vendor_userdir_file_34_0 (vendor_userdir_file))
+(typeattributeset vendor_uuid_mapping_config_file_34_0 (vendor_uuid_mapping_config_file))
+(typeattributeset vendor_vm_data_file_34_0 (vendor_vm_data_file))
+(typeattributeset vendor_vm_file_34_0 (vendor_vm_file))
+(typeattributeset vfat_34_0 (vfat))
+(typeattributeset vibrator_manager_service_34_0 (vibrator_manager_service))
+(typeattributeset vibrator_service_34_0 (vibrator_service))
+(typeattributeset video_device_34_0 (video_device))
+(typeattributeset virtual_ab_prop_34_0 (virtual_ab_prop))
+(typeattributeset virtual_device_service_34_0 (virtual_device_service))
+(typeattributeset virtual_face_hal_prop_34_0 (virtual_face_hal_prop))
+(typeattributeset virtual_fingerprint_hal_prop_34_0 (virtual_fingerprint_hal_prop))
+(typeattributeset virtual_touchpad_34_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_34_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_34_0 (virtual_touchpad_service))
+(typeattributeset virtualization_service_34_0 (virtualization_service))
+(typeattributeset vndbinder_device_34_0 (vndbinder_device))
+(typeattributeset vndk_prop_34_0 (vndk_prop))
+(typeattributeset vndk_sp_file_34_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_34_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_34_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_34_0 (voiceinteraction_service))
+(typeattributeset vold_34_0 (vold))
+(typeattributeset vold_config_prop_34_0 (vold_config_prop))
+(typeattributeset vold_data_file_34_0 (vold_data_file))
+(typeattributeset vold_device_34_0 (vold_device))
+(typeattributeset vold_exec_34_0 (vold_exec))
+(typeattributeset vold_metadata_file_34_0 (vold_metadata_file))
+(typeattributeset vold_post_fs_data_prop_34_0 (vold_post_fs_data_prop))
+(typeattributeset vold_prepare_subdirs_34_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_34_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_34_0 (vold_prop))
+(typeattributeset vold_service_34_0 (vold_service))
+(typeattributeset vold_status_prop_34_0 (vold_status_prop))
+(typeattributeset vpn_data_file_34_0 (vpn_data_file))
+(typeattributeset vpn_management_service_34_0 (vpn_management_service))
+(typeattributeset vr_hwc_service_34_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_34_0 (vr_manager_service))
+(typeattributeset vrflinger_vsync_service_34_0 (vrflinger_vsync_service))
+(typeattributeset vts_config_prop_34_0 (vts_config_prop))
+(typeattributeset vts_status_prop_34_0 (vts_status_prop))
+(typeattributeset wallpaper_effects_generation_service_34_0 (wallpaper_effects_generation_service))
+(typeattributeset wallpaper_file_34_0 (wallpaper_file))
+(typeattributeset wallpaper_service_34_0 (wallpaper_service))
+(typeattributeset watchdog_device_34_0 (watchdog_device))
+(typeattributeset watchdog_metadata_file_34_0 (watchdog_metadata_file))
+(typeattributeset watchdogd_34_0 (watchdogd))
+(typeattributeset watchdogd_exec_34_0 (watchdogd_exec))
+(typeattributeset webview_zygote_34_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_34_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_tmpfs_34_0 (webview_zygote_tmpfs))
+(typeattributeset webviewupdate_service_34_0 (webviewupdate_service))
+(typeattributeset wifi_config_prop_34_0 (wifi_config_prop))
+(typeattributeset wifi_data_file_34_0 (wifi_data_file))
+(typeattributeset wifi_hal_prop_34_0 (wifi_hal_prop))
+(typeattributeset wifi_key_34_0 (wifi_key))
+(typeattributeset wifi_log_prop_34_0 (wifi_log_prop))
+(typeattributeset wifi_prop_34_0 (wifi_prop))
+(typeattributeset wifi_service_34_0 (wifi_service))
+(typeattributeset wifiaware_service_34_0 (wifiaware_service))
+(typeattributeset wificond_34_0 (wificond))
+(typeattributeset wificond_exec_34_0 (wificond_exec))
+(typeattributeset wifinl80211_service_34_0 (wifinl80211_service))
+(typeattributeset wifip2p_service_34_0 (wifip2p_service))
+(typeattributeset wifiscanner_service_34_0 (wifiscanner_service))
+(typeattributeset window_service_34_0 (window_service))
+(typeattributeset wpa_socket_34_0 (wpa_socket))
+(typeattributeset zero_device_34_0 (zero_device))
+(typeattributeset zoned_block_device_34_0 (zoned_block_device))
+(typeattributeset zram_config_prop_34_0 (zram_config_prop))
+(typeattributeset zram_control_prop_34_0 (zram_control_prop))
+(typeattributeset zygote_34_0 (zygote))
+(typeattributeset zygote_config_prop_34_0 (zygote_config_prop))
+(typeattributeset zygote_exec_34_0 (zygote_exec))
+(typeattributeset zygote_socket_34_0 (zygote_socket))
+(typeattributeset zygote_tmpfs_34_0 (zygote_tmpfs))
diff --git a/private/compat/34.0/34.0.compat.cil b/private/compat/34.0/34.0.compat.cil
new file mode 100644
index 0000000..76d24c5
--- /dev/null
+++ b/private/compat/34.0/34.0.compat.cil
@@ -0,0 +1,3 @@
+;; complement CIL file for compatibility between ToT policy and 34.0 vendors.
+;; will be compiled along with other normal policy files, on 34.0 vendors.
+;;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
new file mode 100644
index 0000000..2c9961d
--- /dev/null
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -0,0 +1,37 @@
+;; new_objects - a collection of types that have been introduced with ToT policy
+;; that have no analogue in 34.0 policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( new_objects
+ archive_service
+ dtbo_block_device
+ ota_build_prop
+ snapuserd_log_data_file
+ fwk_vibrator_control_service
+ hal_authgraph_service
+ hal_secretkeeper_service
+ hal_codec2_service
+ hal_macsec_service
+ hal_remotelyprovisionedcomponent_avf_service
+ hal_threadnetwork_service
+ hidraw_device
+ virtual_camera_service
+ ot_daemon_service
+ pm_archiving_enabled_prop
+ remote_auth_service
+ security_state_service
+ setupwizard_mode_prop
+ sysfs_sync_on_suspend
+ tv_ad_service
+ threadnetwork_service
+ device_config_aconfig_flags_prop
+ proc_memhealth
+ virtual_device_native_service
+ next_boot_prop
+ binderfs_logs_stats
+ drm_forcel3_prop
+ proc_percpu_pagelist_high_fraction
+ vendor_microdroid_file
+ ))
diff --git a/private/coredomain.te b/private/coredomain.te
index f9b47df..5442ea3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -15,6 +15,7 @@
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, setupwizard_mode_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
@@ -150,7 +151,7 @@
-apexd
-init
-ueventd
- -vfio_handler
+ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `-vfio_handler')
-vold
} sysfs:file no_rw_file_perms;
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 60962cb..27baaff 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -32,6 +32,13 @@
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;
+# Allow crash dump to read bootstrap libraries
+allow crash_dump system_bootstrap_lib_file:dir { getattr search };
+allow crash_dump system_bootstrap_lib_file:file r_file_perms;
+
+# Read Vendor APEX directories
+allow crash_dump vendor_apex_metadata_file:dir { getattr search };
+
###
### neverallow assertions
###
diff --git a/private/crosvm.te b/private/crosvm.te
index 31d6c19..ed89b87 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,8 +27,9 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
-# the files are passed as file descriptors.
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
+# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
+# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
virtualizationservice_data_file
staging_data_file
@@ -36,7 +37,9 @@
app_data_file
privapp_data_file
apex_compos_data_file
+ apex_virt_data_file
shell_data_file
+ vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -64,11 +67,13 @@
app_data_file
privapp_data_file
apex_compos_data_file
+ apex_virt_data_file
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
+allow crosvm devpts:chr_file { read write getattr ioctl };
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -83,7 +88,7 @@
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
-dontaudit crosvm virtualizationmanager:fifo_file read;
+dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
@@ -95,9 +100,9 @@
allow crosvm vfio_device:chr_file rw_file_perms;
allow crosvm vfio_device:dir r_dir_perms;
-# Allow crosvm to access VM DTBO via a pipe created by vfio handler.
-allow crosvm vfio_handler:fd use;
-allow crosvm vfio_handler:fifo_file r_file_perms;
+# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
+allow crosvm virtualizationmanager:fd use;
+allow crosvm virtualizationservice_data_file:file read;
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
@@ -122,6 +127,7 @@
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
+ -vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index ea9ab9c..18600d8 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -12,6 +12,8 @@
allow dex2oat vendor_framework_file:file { getattr open read map };
# Access /vendor/overlay
r_dir_file(dex2oat, vendor_overlay_file);
+# Vendor overlay can be found in vendor apex
+allow dex2oat vendor_apex_metadata_file:dir { getattr search };
allow dex2oat tmpfs:file { read getattr map };
@@ -82,7 +84,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
+allow dex2oat postinstall_apex_mnt_dir:{ file lnk_file } r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
@@ -110,4 +112,4 @@
# Neverallow #
##############
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow dex2oat app_data_file_type:notdevfile_class_set open;
diff --git a/private/domain.te b/private/domain.te
index 1b5af99..2f107dd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -214,7 +214,6 @@
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
neverallow { domain -system_server } *:keystore2_key use_dev_id;
neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
@@ -611,6 +610,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
+ -vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
@@ -668,6 +668,7 @@
userdebug_or_eng(`
-init
-hal_dumpstate
+ -incidentd
')
} { debugfs_type
userdebug_or_eng(`-debugfs_kcov')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b369797..1faedb4 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -56,6 +56,15 @@
binder_call(dumpstate, profcollectd)
')
+# Allow dumpstate to talk to automotive_display_service over binder
+binder_call(dumpstate, automotive_display_service)
+
+# Allow dumpstate to talk to virtual_camera service over binder
+binder_call(dumpstate, virtual_camera)
+
+# Allow dumpstate to talk to ot_daemon service over binder
+binder_call(dumpstate, ot_daemon)
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
@@ -64,6 +73,8 @@
mediatranscoding
statsd
netd
+ virtual_camera
+ ot_daemon
}:process signal;
# Only allow dumpstate to dump Keystore on debuggable builds.
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 9f2b1d5..4e1417b 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -56,7 +56,7 @@
### neverallow rules
###
-neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
+neverallow ephemeral_app app_data_file_type:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
@@ -66,7 +66,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
+neverallow ephemeral_app debugfs_type:file read;
# execute gpu_device
neverallow ephemeral_app gpu_device:chr_file execute;
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 7dc1741..a189d23 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -42,6 +42,7 @@
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
+ set_prop(fastbootd, boottime_prop)
# Needed for reading boot properties.
allow fastbootd proc_bootconfig:file r_file_perms;
diff --git a/private/file.te b/private/file.te
index e81108a..f4c3e2d 100644
--- a/private/file.te
+++ b/private/file.te
@@ -68,6 +68,9 @@
# /data/misc/apexdata/com.android.compos
type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+# /data/misc/apexdata/com.android.virt
+type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
# for backward compatibility b/217581286
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
@@ -99,7 +102,7 @@
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
-# /data/bootanim
+# /data/misc/bootanim
type bootanim_data_file, file_type, data_file_type, core_data_file_type;
# /dev/kvm
@@ -115,13 +118,6 @@
# /apex/com.android.compos/bin/compos_key_helper
type compos_key_helper_exec, exec_type, file_type, system_file_type;
-# /metadata/sepolicy
-type sepolicy_metadata_file, file_type;
-
-# /dev/selinux/test - used to verify that apex sepolicy is loaded and
-# property labeled.
-type sepolicy_test_file, file_type;
-
# /apex/com.android.art/bin/art_exec
# This executable does not have its own domain because it is executed in the caller's domain. For
# example, it is executed in the `artd` domain when artd calls it.
@@ -132,8 +128,14 @@
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
+# /data/misc/threadnetwork
+type threadnetwork_data_file, file_type, data_file_type, core_data_file_type;
+
# /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
+# Type for /system/fonts/font_fallback.xm
+type system_font_fallback_file, system_file_type, file_type;
+
# Type for /sys/devices/uprobe.
type sysfs_uprobe, fs_type, sysfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index 3612b67..3cfbaf0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -1,4 +1,25 @@
###########################################
+# Entries in this file describe the security context associated with a file
+# path. They are used when building the device image, to include the security
+# context within the extended file attributes of the file system. They are also
+# used at runtime when calling restorecon.
+#
+# Entries are merged with other file_contexts from other partitions (e.g.,
+# vendor or odm, see the full list at libselinux/src/android/android.c).
+#
+# The entries are evaluated by the following rules:
+# - Static entries (that is, not using regular expressions) are always
+# evaluated first.
+# - The first matching entry is used.
+# - Entries are evaluated from the bottom to the top.
+#
+# Based on these rules, it is recommended that the less specific entries appear
+# first. For instance:
+# /dev(/.*)? u:object_r:device:s0
+# /dev/block(/.*)? u:object_r:block_device:s0
+# /dev/block/my_dev u:object_r:my_dev:s0
+#
+
# Root
/ u:object_r:rootfs:s0
@@ -32,6 +53,7 @@
/second_stage_resources u:object_r:tmpfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
+/bootstrap-apex u:object_r:apex_mnt_dir:s0
# Postinstall directories
/postinstall u:object_r:postinstall_mnt_dir:s0
@@ -105,6 +127,7 @@
/dev/fuse u:object_r:fuse_device:s0
/dev/gnss[0-9]+ u:object_r:gnss_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
+/dev/hidraw[0-9]+ u:object_r:hidraw_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/input(/.*)? u:object_r:input_device:s0
@@ -199,20 +222,14 @@
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info u:object_r:property_info:s0
#############################
# Linker configuration
#
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
-# Apex sepoolicy files.
-/dev/selinux/apex_file_contexts u:object_r:file_contexts_file:s0
-/dev/selinux/apex_seapp_contexts u:object_r:seapp_contexts_file:s0
-/dev/selinux/apex_service_contexts u:object_r:service_contexts_file:s0
-/dev/selinux/apex_property_contexts u:object_r:property_contexts_file:s0
-/dev/selinux/apex_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/dev/selinux/apex_mac_permissions\.xml u:object_r:mac_perms_file:s0
-
#############################
# System files
#
@@ -234,9 +251,6 @@
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
-/system/bin/ntfs-3g -- u:object_r:fuseblkd_untrusted_exec:s0
-/system/bin/ntfs-3g-compart -- u:object_r:fuseblkd_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
@@ -259,7 +273,6 @@
/system/bin/app_process32 u:object_r:zygote_exec:s0
/system/bin/app_process64 u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
@@ -344,18 +357,19 @@
/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
+/system/etc/font_fallback.xml u:object_r:system_font_fallback_file:s0
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/passwd u:object_r:system_passwd_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
@@ -373,7 +387,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
-/system/bin/btfloader u:object_r:bpfloader_exec:s0
+/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
@@ -399,6 +413,7 @@
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
@@ -500,6 +515,9 @@
/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
@@ -568,7 +586,6 @@
/data/gsi_persistent_data u:object_r:gsi_persistent_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
@@ -604,6 +621,7 @@
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
+/data/misc/apexdata/com\.android\.virt(/.*)? u:object_r:apex_virt_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
@@ -642,8 +660,8 @@
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
-/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
@@ -658,6 +676,7 @@
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/threadnetwork(/.*)? u:object_r:threadnetwork_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
@@ -669,6 +688,7 @@
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
+/data/misc/snapuserd_log(/.*)? u:object_r:snapuserd_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
@@ -684,6 +704,7 @@
/data/vendor_ce/.* u:object_r:vendor_data_file:s0
/data/vendor_de u:object_r:vendor_userdir_file:s0
/data/vendor_de/.* u:object_r:vendor_data_file:s0
+/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
@@ -738,21 +759,12 @@
/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
# Boot animation data
-/data/bootanim(/.*)? u:object_r:bootanim_data_file:s0
+/data/misc/bootanim(/.*)? u:object_r:bootanim_data_file:s0
#############################
# Expanded data files
#
/mnt/expand u:object_r:mnt_expand_file:s0
-# CAREFUL: the two system_data_file patterns below can't be replaced with one
-# pattern "/mnt/expand/[^/]+(/.*)?", since SELinux would prioritize that over
-# "/mnt/expand/[^/]+/user". This is because when a path is matched by two
-# patterns that contain regex meta-characters, SELinux just chooses the longer
-# pattern (or the later pattern if the patterns are the same length), rather
-# than the pattern containing fewer regex meta-characters. Splitting the
-# pattern into "/mnt/expand/[^/]+" and "/mnt/expand/[^/]+/.*" works around this
-# problem, except for 1-character filenames which we aren't using.
-/mnt/expand/[^/]+ u:object_r:system_data_file:s0
-/mnt/expand/[^/]+/.* u:object_r:system_data_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
@@ -842,10 +854,10 @@
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
-/metadata/sepolicy(/.*)? u:object_r:sepolicy_metadata_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
+/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
#############################
# asec containers
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index fd083c2..9554a76 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -6,8 +6,8 @@
/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0
-/data/asan/system/system_ext/lib(/.*)? u:object_r:system_lib_file:s0
-/data/asan/system/system_ext/lib64(/.*)? u:object_r:system_lib_file:s0
+/data/asan/(system_ext|system/system_ext)/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/(system_ext|system/system_ext)/lib64(/.*)? u:object_r:system_lib_file:s0
/system/asan.options u:object_r:system_asan_options_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 390e3cf..b7f5808 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -3,6 +3,7 @@
init_daemon_domain(flags_health_check)
set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_core_experiments_team_internal_prop)
set_prop(flags_health_check, device_config_edgetpu_native_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
set_prop(flags_health_check, device_config_runtime_native_boot_prop)
@@ -24,6 +25,7 @@
set_prop(flags_health_check, device_config_configuration_prop)
set_prop(flags_health_check, device_config_connectivity_prop)
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
+set_prop(flags_health_check, device_config_aconfig_flags_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
@@ -32,6 +34,7 @@
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
+set_prop(flags_health_check, next_boot_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 2e5089c..a3765ec 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -14,8 +14,3 @@
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit fsverity_init kernel:system module_request;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8ad21e6..41c60df 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -19,6 +19,7 @@
genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /memhealth u:object_r:proc_memhealth:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
@@ -91,6 +92,7 @@
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
+genfscon proc /sys/vm/percpu_pagelist_high_fraction u:object_r:proc_percpu_pagelist_high_fraction:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -156,6 +158,7 @@
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
+genfscon sysfs /power/sync_on_suspend u:object_r:sysfs_sync_on_suspend:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
@@ -285,6 +288,8 @@
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_command/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
@@ -350,6 +355,8 @@
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_command/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
@@ -386,6 +393,7 @@
genfscon binder /vndbinder u:object_r:vndbinder_device:s0
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
genfscon binder /features u:object_r:binderfs_features:s0
genfscon inotifyfs / u:object_r:inotify:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 46b90c6..859c2ec 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -36,7 +36,6 @@
allow gmscore_app perfetto_traces_data_file:file { read getattr };
# Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
@@ -46,6 +45,7 @@
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
diff --git a/private/gsid.te b/private/gsid.te
index e795cea..9391016 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -150,7 +150,7 @@
allow gsid {
gsi_data_file
ota_image_data_file
-}:dir rw_dir_perms;
+}:dir create_dir_perms;
allow gsid {
gsi_data_file
ota_image_data_file
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 91418b5..39d0bbb 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -70,5 +70,6 @@
}')
full_treble_only(`
- neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
+ neverallow heapprofd vendor_file_type:file no_w_file_perms;
+ neverallow heapprofd { vendor_file_type -vndk_sp_file }:file no_x_file_perms;
')
diff --git a/private/incidentd.te b/private/incidentd.te
index e86b3bf..bf98d31 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,9 +29,7 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-no_debugfs_restriction(`
- allow incidentd debugfs_wakeup_sources:file r_file_perms;
-')
+userdebug_or_eng(`allow incidentd debugfs_wakeup_sources:file r_file_perms');
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
diff --git a/private/installd.te b/private/installd.te
index 7615c92..f9fb206 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -54,3 +54,7 @@
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
+
+# Allow installd to enable fs-verity for app file passed as FD;
+allow installd { untrusted_app_all priv_app gmscore_app }:fd use;
+allowxperm installd app_data_file_type:file ioctl FS_IOC_ENABLE_VERITY;
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 0617a57..1ffcabe 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -32,12 +32,15 @@
# suppress denials to /data/local/tmp
dontaudit isolated_app_all shell_data_file:dir search;
+# Allow to read (but not open) staged apks.
+allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
+
#####
##### Neverallow
#####
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
+neverallow isolated_app_all app_data_file_type:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index d5e8a74..5d4070d 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -21,6 +21,8 @@
hal_client_domain(isolated_compute_app, hal_allocator)
hwbinder_use(isolated_compute_app)
+hal_client_domain(isolated_compute_app, hal_codec2)
+
allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
# Allow access to network sockets received over IPC. New socket creation is not
diff --git a/private/kernel.te b/private/kernel.te
index 03ba79f..2d46b3e 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -44,19 +44,3 @@
dontaudit kernel dm_user_device:chr_file { create setattr };
dontaudit kernel tmpfs:lnk_file read;
dontaudit kernel tmpfs:blk_file { open read };
-
-# Some contexts are changed before the device is flipped into enforcing mode
-# during the setup of Apex sepolicy. These denials can be suppressed since
-# the permissions should not be allowed after the device is flipped into
-# enforcing mode.
-dontaudit kernel device:dir { open read relabelto };
-dontaudit kernel tmpfs:file { getattr open read relabelfrom };
-dontaudit kernel {
- file_contexts_file
- hwservice_contexts_file
- mac_perms_file
- property_contexts_file
- seapp_contexts_file
- sepolicy_test_file
- service_contexts_file
-}:file relabelto;
diff --git a/private/keystore.te b/private/keystore.te
index cd2ef76..b81ccfa 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -11,6 +11,11 @@
# talk to keymint
hal_client_domain(keystore, hal_keymint)
+# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
+# access it.
+# TODO(b/312427637): Investigate the reason and fix the denial.
+dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };
+
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
@@ -26,7 +31,7 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-# Keystore need access to the keystore_key context files to load the keystore key backend.
+# Keystore need access to the keystore2_key_contexts file to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
# Allow keystore to listen to changing boot levels
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 3833971..868bf15 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -4,10 +4,10 @@
# <namespace> <label>
#
# <namespace> must be an integer in the interval [0 ... 2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
+# su_key is a keystore2_key namespace for the su domain intended for native tests.
0 u:object_r:su_key:s0
-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+# shell_key is a keystore2_key namespace for the shell domain intended for native tests.
1 u:object_r:shell_key:s0
# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 9f5f87e..09ba079 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -18,6 +18,16 @@
allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
read_fstab(lpdumpd)
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(lpdumpd, sysfs_dt_firmware_android);
+allow lpdumpd proc_cmdline:file r_file_perms;
+
+# Allow reading Virtual A/B status information.
+get_prop(lpdumpd, virtual_ab_prop)
+allow lpdumpd metadata_file:dir search;
+allow lpdumpd ota_metadata_file:dir { r_dir_perms lock };
+allow lpdumpd ota_metadata_file:file r_file_perms;
+
### Neverallow rules
# Disallow other domains to get lpdump_service and call lpdumpd.
diff --git a/private/mediaserver.te b/private/mediaserver.te
index f44cbde..92ec40d 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -16,6 +16,9 @@
get_prop(mediaserver, drm_service_config_prop)
get_prop(mediaserver, media_config_prop)
+# Allow MediaCodec running on mediaserver to read media_native flags
+get_prop(mediaserver, device_config_media_native_prop)
+
# Allow mediaserver to start media.transcoding service via ctl.start.
set_prop(mediaserver, ctl_mediatranscoding_prop);
diff --git a/private/mediatuner.te b/private/mediatuner.te
index bfb264e..5871bea 100644
--- a/private/mediatuner.te
+++ b/private/mediatuner.te
@@ -20,6 +20,9 @@
# Read ro.tuner.lazyhal
get_prop(mediatuner, tuner_config_prop)
+# Read tuner.server.enable
+get_prop(mediatuner, tuner_server_ctl_prop)
+
###
### neverallow rules
###
diff --git a/private/network_stack.te b/private/network_stack.te
index 84c8d4d..8e09be8 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -43,7 +43,6 @@
binder_call(network_stack, netd);
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
allow network_stack self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
new file mode 100644
index 0000000..457e1bf
--- /dev/null
+++ b/private/ot_daemon.te
@@ -0,0 +1,38 @@
+#
+# ot_daemon is the native Thread network stack on the host (Android) side.
+# Refer to https://www.threadgroup.org for Thread network knowledge.
+#
+
+# ot_daemon
+type ot_daemon, domain, coredomain;
+type ot_daemon_exec, exec_type, file_type, system_file_type;
+
+# Allow init ot_daemon
+init_daemon_domain(ot_daemon)
+# Allow the ot_daemon to use the net domain.
+net_domain(ot_daemon)
+
+# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
+allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
+allow ot_daemon threadnetwork_data_file:file create_file_perms;
+allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+
+# Allow OT daemon to read/write the Thread tunnel interface
+allow ot_daemon tun_device:chr_file {read write};
+
+# Allow OT daemon to read/write on the socket created by System Server
+allow ot_daemon system_server:rawip_socket rw_socket_perms_no_ioctl;
+
+hal_client_domain(ot_daemon, hal_threadnetwork)
+
+# Only ot_daemon can publish the binder service
+binder_use(ot_daemon)
+add_service(ot_daemon, ot_daemon_service)
+binder_call(ot_daemon, system_server)
+
+# Allow OT daemon to write to statsd
+unix_socket_send(ot_daemon, statsdw, statsd)
+
+# For collecting bugreports.
+allow ot_daemon dumpstate:fd use;
+allow ot_daemon dumpstate:fifo_file write;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index ea9d4ee..73e170b 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -36,9 +36,10 @@
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
get_prop(otapreopt_chroot, apexd_prop)
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
+# Allow otapreopt to use file descriptors from update-engine and the postinstall
+# script. It will read dexopt commands from stdin and write progress to stdout.
allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot postinstall:fifo_file { read write getattr };
allow otapreopt_chroot update_engine:fd use;
allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/private/platform_app.te b/private/platform_app.te
index 44de21c..cd95353 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -48,6 +48,9 @@
userdebug_or_eng(`
set_prop(platform_app, persist_sysui_builder_extras_prop)
')
+userdebug_or_eng(`
+ set_prop(platform_app, persist_sysui_ranking_update_prop)
+')
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 2fdc941..cdf403c 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -47,6 +47,8 @@
r_dir_file(postinstall_dexopt, vendor_app_file)
# Read vendor overlay files (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search };
# Access to app oat directory.
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
diff --git a/private/priv_app.te b/private/priv_app.te
index cfd8721..536c9d4 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -150,7 +150,7 @@
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
+dontaudit priv_app { wifi_prop wifi_config_prop wifi_hal_prop }:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@@ -176,6 +176,9 @@
# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
get_prop(priv_app, incremental_prop)
+# allow privileged apps to read the device config flags.
+get_prop(priv_app, device_config_aconfig_flags_prop)
+
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
@@ -218,7 +221,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
+neverallow priv_app debugfs_type:file read;
# Do not allow privileged apps to register services.
# Only trusted components of Android should be registering
@@ -262,10 +265,10 @@
# application home directories. Code loading across a security boundary
# is dangerous and allows a full compromise of a privileged process
# by an unprivileged process. b/112357170
-neverallow priv_app app_data_file:file no_x_file_perms;
+neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;
-# Do not follow untrusted app provided symlinks
-neverallow priv_app app_data_file:lnk_file { open read getattr };
+# Do not follow any app provided symlinks
+neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };
# Do not allow getting permission-protected network information from sysfs.
neverallow priv_app sysfs_net:file *;
@@ -290,3 +293,6 @@
# Allow priv apps to report off body events to keystore2.
allow priv_app keystore:keystore2 report_off_body;
+
+# Allow priv_apps to check if archiving is enabled
+get_prop(priv_app, pm_archiving_enabled_prop)
diff --git a/private/profman.te b/private/profman.te
index 390f83e..7ad49b2 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -10,3 +10,8 @@
# Allow profman to use file descriptors passed from privileged programs.
allow profman { artd installd }:fd use;
+
+# Allow profman to read from memfd created by artd.
+# profman needs to read the embedded profile that artd extracts from an APK,
+# which is passed by a memfd.
+allow profman artd_tmpfs:file { getattr read map lock };
diff --git a/private/property.te b/private/property.te
index 5889e57..ff0b693 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,6 +2,7 @@
system_internal_prop(adbd_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
+system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
@@ -26,10 +27,12 @@
system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
+system_internal_prop(logd_auditrate_prop)
system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(next_boot_prop)
system_internal_prop(odsign_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
@@ -51,11 +54,17 @@
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
system_internal_prop(ctl_apex_load_prop)
+system_internal_prop(enable_16k_pages_prop)
+system_internal_prop(sensors_config_prop)
+system_internal_prop(hypervisor_pvmfw_prop)
+system_internal_prop(hypervisor_virtualizationmanager_prop)
+system_internal_prop(game_manager_config_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(log_file_logger_prop)
system_restricted_prop(persist_sysui_builder_extras_prop)
+system_restricted_prop(persist_sysui_ranking_update_prop)
###
### Neverallow rules
@@ -597,6 +606,12 @@
neverallow {
domain
-init
+ -vendor_init
+} setupwizard_mode_prop:property_service set;
+
+neverallow {
+ domain
+ -init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
@@ -696,3 +711,10 @@
-system_app
-device_as_webcam
} usb_uvc_enabled_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+} pm_archiving_enabled_prop:property_service set;
+
diff --git a/private/property_contexts b/private/property_contexts
index 7a17035..4166c55 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -62,6 +62,7 @@
logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
+persist.logd.audit.rate u:object_r:logd_auditrate_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
logd.logpersistd u:object_r:logpersistd_logging_prop:s0
@@ -115,6 +116,7 @@
suspend.sleep_time_scale_factor u:object_r:suspend_prop:s0 exact double
suspend.failed_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
+suspend.disable_sync_on_suspend u:object_r:suspend_prop:s0 exact bool
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
@@ -253,6 +255,7 @@
persist.device_config.camera_native. u:object_r:device_config_camera_native_prop:s0
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
+persist.device_config.core_experiments_team_internal. u:object_r:device_config_core_experiments_team_internal_prop:s0
persist.device_config.edgetpu_native. u:object_r:device_config_edgetpu_native_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0
@@ -268,6 +271,7 @@
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
+persist.device_config.aconfig_flags. u:object_r:device_config_aconfig_flags_prop:s0
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
persist.device_config.vendor_system_native_boot. u:object_r:device_config_vendor_system_native_boot_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
@@ -276,6 +280,9 @@
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
+# Properties that is for staging
+next_boot. u:object_r:next_boot_prop:s0
+
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
@@ -332,12 +339,17 @@
ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
+# OEMs can set this prop at build time to configure how many seconds to delay
+# merge after installing a Virtual AB OTA. The default behavior is to start
+# merge immediately.
+ro.virtual_ab.merge_delay_seconds u:object_r:virtual_ab_prop:s0 exact int
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.io_uring.force_disable u:object_r:snapuserd_prop:s0 exact bool
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
+ro.vendor.build.ab_ota_partitions u:object_r:ota_build_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
# The vbmeta digest for the inactive slot. It can be set after installing
@@ -409,6 +421,7 @@
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
ro.camera.disableJpegR u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCompositeAPI0JpegR u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableVirtualCamera u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
@@ -505,6 +518,7 @@
keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
+media.c2.hal.selection u:object_r:codec2_config_prop:s0 exact enum aidl hidl
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.resolution.limit.32bit u:object_r:media_config_prop:s0 exact int
@@ -576,6 +590,7 @@
bluetooth.profile.pan.panu.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.pbap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.pbap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.sim.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.vcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
@@ -608,6 +623,7 @@
bluetooth.core.le.vendor_capabilities.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.le.dsa_transport_preference u:object_r:bluetooth_config_prop:s0 exact string
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.nfc.vendor_debug_enabled u:object_r:nfc_prop:s0 exact bool
@@ -699,6 +715,9 @@
ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
+hypervisor.pvmfw.path u:object_r:hypervisor_pvmfw_prop:s0 exact string
+hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
+
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
hypervisor.memory_reclaim.supported u:object_r:hypervisor_restricted_prop:s0 exact bool
@@ -707,6 +726,7 @@
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.delay_monitors_until_boot u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.filecache_min_kb u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool
@@ -813,6 +833,7 @@
drm.64bit.enabled u:object_r:mediadrm_config_prop:s0 exact bool
media.mediadrmservice.enable u:object_r:mediadrm_config_prop:s0 exact bool
+persist.drm.forcel3.enabled u:object_r:drm_forcel3_prop:s0 exact bool
drm.service.enabled u:object_r:drm_service_config_prop:s0 exact bool
@@ -847,9 +868,8 @@
persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
-arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
-persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
-persist.arm64.memtag.app_default u:object_r:arm64_memtag_prop:s0 exact string
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+persist.arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
@@ -943,6 +963,10 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
+
+# Property for enabling 16k pages developer option.
+ro.product.build.16k_page.enabled u:object_r:enable_16k_pages_prop:s0 exact bool
+
ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
ro.force.debuggable u:object_r:build_prop:s0 exact bool
@@ -1111,10 +1135,14 @@
ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.name_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.device_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.manufacturer_for_attestation u:object_r:build_attestation_prop:s0 exact string
-# GRF property for the first api level of the vendor partition
+# Vendor API level properties for the vFRC and GRF
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.board.api_frozen u:object_r:build_vendor_prop:s0 exact bool
+ro.llndk.api_level u:object_r:build_vendor_prop:s0 exact int
ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
@@ -1142,6 +1170,7 @@
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file managed none
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
+ro.property_service.async_persist_writes u:object_r:build_config_prop:s0 exact bool
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
@@ -1263,6 +1292,7 @@
wifi.concurrent.interface u:object_r:wifi_hal_prop:s0 exact string
wifi.direct.interface u:object_r:wifi_hal_prop:s0 exact string
wifi.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.interface. u:object_r:wifi_hal_prop:s0 prefix string
wlan.driver.status u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
@@ -1324,6 +1354,9 @@
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.clear_slots_with_set_layer_buffer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.prime_shader_cache.ultrahdr u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.game_default_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact int
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1405,6 +1438,8 @@
ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
+ro.vulkan.apex u:object_r:graphics_config_prop:s0 exact string
+
# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
@@ -1455,6 +1490,8 @@
ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.mode u:object_r:setupwizard_mode_prop:s0 exact string
+
setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
@@ -1560,8 +1597,19 @@
ro.usb.uvc.enabled u:object_r:usb_uvc_enabled_prop:s0 exact bool
# System UI notification properties
+persist.sysui.notification.ranking_update_ashmem u:object_r:persist_sysui_ranking_update_prop:s0 exact bool
persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
# Properties for Quick Start setup.
ro.quick_start.oem_id u:object_r:quick_start_prop:s0 exact string
ro.quick_start.device_id u:object_r:quick_start_prop:s0 exact string
+
+# Properties for sensor service
+sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
+
+# Properties for game manager service
+persist.graphics.game_default_frame_rate.enabled u:object_r:game_manager_config_prop:s0 exact bool
+
+# Properties for app archiving
+pm.archiving.enabled u:object_r:pm_archiving_enabled_prop:s0 exact bool
+
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 509a96e..e7809e9 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -9,6 +9,7 @@
# RKPD needs to be able to call the remote provisioning HALs
hal_client_domain(rkpdapp, hal_keymint)
+hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)
# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
diff --git a/private/rs.te b/private/rs.te
index 268f040..2674c0e 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -19,6 +19,8 @@
allow rs vendor_file:dir r_dir_perms;
r_dir_file(rs, vendor_overlay_file)
r_dir_file(rs, vendor_app_file)
+# Vendor overlay can be found in vendor apex
+allow rs vendor_apex_metadata_file:dir { getattr search };
# Read contents of app apks
r_dir_file(rs, apk_data_file)
@@ -30,11 +32,15 @@
# File descriptors passed from app to renderscript
allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
+# See b/291211299. Since rs is deprecated, this shouldn't be too dangerous, since new
+# renderscript usages shouldn't be popping up.
+dontaudit rs { zygote surfaceflinger hal_graphics_allocator }:fd use;
+
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
neverallow rs rs:capability_class_set *;
neverallow { domain -appdomain } rs:process { dyntransition transition };
neverallow rs { domain -crash_dump }:process { dyntransition transition };
-neverallow rs app_data_file:file_class_set ~r_file_perms;
+neverallow rs app_data_file_type:file_class_set ~r_file_perms;
# rs should never use network sockets
neverallow rs *:network_socket_class_set *;
diff --git a/private/runas_app.te b/private/runas_app.te
index a5f47f4..9142a19 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -30,3 +30,6 @@
# processes, but not the whole system.
allow runas_app self:perf_event { open read write kernel };
neverallow runas_app self:perf_event ~{ open read write kernel };
+
+# Suppress bionic loader denial /data/local/tests directories.
+dontaudit runas_app shell_test_data_file:dir search;
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 6e7ba50..b4c655b 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -35,7 +35,7 @@
### neverallow rules
###
-neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
@@ -45,7 +45,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow sdk_sandbox_all debugfs:file read;
+neverallow sdk_sandbox_all debugfs_type:file read;
# execute gpu_device
neverallow sdk_sandbox_all gpu_device:chr_file execute;
@@ -66,8 +66,9 @@
neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
+# TODO(b/280514080): shell_data_file shouldn't be allowed here
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
diff --git a/private/sdk_sandbox_next.te b/private/sdk_sandbox_next.te
index 87884a9..6fd16ca 100644
--- a/private/sdk_sandbox_next.te
+++ b/private/sdk_sandbox_next.te
@@ -2,7 +2,9 @@
### SDK Sandbox process.
###
### This file defines the security policy for the sdk sandbox processes
-### for targetSdkVersion=34.
+### for a test set of restrictions. These restrictions will be adapted
+### with modifications, into the set of restrictions for the next SDK
+### level.
type sdk_sandbox_next, domain, coredomain, sdk_sandbox_all;
net_domain(sdk_sandbox_next)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 8f3cae9..957d005 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -48,6 +48,13 @@
# be mapped to isolated_compute_app by default. It is expected to be used together
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
+# An unspecified isIsolatedComputeApp defaults to false.
+#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
#
# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
@@ -57,6 +64,11 @@
#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
+# An unspecified isSdkSandboxNext defaults to false.
+#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
#
# isSdkSandboxAudit=true means sdk sandbox processes will get
# sdk_sandbox_audit sepolicy applied to them.
@@ -78,8 +90,8 @@
# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
# defaults to 0 if unspecified.
# (8) fromRunAs=true before fromRunAs=false.
-# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
-# (10) isSdkSandboxNext=true before isSdkSandboxNext=false
+# (9) Platform seapp_contexts files (system, system_ext, product) before
+# vendor seapp_contexts files (vendor, odm).
# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
# longer prefix is more specific than a shorter prefix.)
# Apps are checked against entries in precedence order until the first match,
@@ -195,8 +207,8 @@
user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/service.te b/private/service.te
index 06b03e0..2f5241c 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,9 +1,10 @@
type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
-type bg_install_control_service, system_server_service, service_manager_type;
+type bg_install_control_service, system_api_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;
type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
+type feature_flags_service, app_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type logcat_service, system_server_service, service_manager_type;
@@ -20,6 +21,10 @@
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
-type vfio_handler_service, service_manager_type;
+
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ type vfio_handler_service, service_manager_type;
+')
+
type uce_service, service_manager_type;
type wearable_sensing_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 8a7069a..ce151f0 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -2,6 +2,7 @@
android.frameworks.location.altitude.IAltitudeService/default u:object_r:fwk_altitude_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
+android.frameworks.vibrator.IVibratorControlService/default u:object_r:fwk_vibrator_control_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
# 'default' IModule is equivalent to 'primary' in HIDL
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
@@ -28,12 +29,17 @@
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
+android.hardware.bluetooth.finder.IBluetoothFinder/default u:object_r:hal_bluetooth_service:s0
+is_flag_enabled(RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE, `
+ android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default u:object_r:hal_bluetooth_service:s0
+')
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
# The instance here is internal/0 following naming convention for ICameraProvider.
# It advertises internal camera devices.
android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
+android.hardware.camera.provider.ICameraProvider/virtual/0 u:object_r:virtual_camera_service:s0
android.hardware.cas.IMediaCasService/default u:object_r:hal_cas_service:s0
android.hardware.confirmationui.IConfirmationUI/default u:object_r:hal_confirmationui_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
@@ -50,6 +56,9 @@
android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.macsec.IMacsecPskPlugin/default u:object_r:hal_macsec_service:s0
+android.hardware.media.c2.IComponentStore/default u:object_r:hal_codec2_service:s0
+android.hardware.media.c2.IComponentStore/software u:object_r:hal_codec2_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
@@ -86,8 +95,10 @@
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/avf u:object_r:hal_remotelyprovisionedcomponent_avf_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
@@ -95,6 +106,7 @@
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tetheroffload.IOffload/default u:object_r:hal_tetheroffload_service:s0
android.hardware.thermal.IThermal/default u:object_r:hal_thermal_service:s0
+android.hardware.threadnetwork.IThreadChip/chip0 u:object_r:hal_threadnetwork_service:s0
android.hardware.tv.hdmi.cec.IHdmiCec/default u:object_r:hal_tv_hdmi_cec_service:s0
android.hardware.tv.hdmi.connection.IHdmiConnection/default u:object_r:hal_tv_hdmi_connection_service:s0
android.hardware.tv.hdmi.earc.IEArc/default u:object_r:hal_tv_hdmi_earc_service:s0
@@ -116,6 +128,8 @@
android.hardware.secure_element.ISecureElement/SIM1 u:object_r:hal_secure_element_service:s0
android.hardware.secure_element.ISecureElement/SIM2 u:object_r:hal_secure_element_service:s0
android.hardware.secure_element.ISecureElement/SIM3 u:object_r:hal_secure_element_service:s0
+android.hardware.security.secretkeeper.ISecretkeeper/default u:object_r:hal_secretkeeper_service:s0
+android.hardware.security.secretkeeper.ISecretkeeper/nonsecure u:object_r:hal_secretkeeper_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
@@ -128,6 +142,7 @@
adservices_manager u:object_r:adservices_manager_service:s0
aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
+aidl_lazy_test_quit u:object_r:aidl_lazy_test_service:s0
aidl_lazy_cb_test u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.hardware.automotive.evs.IEvsEnumerator/default u:object_r:evsmanagerd_service:s0
@@ -145,7 +160,9 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
-android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
@@ -153,6 +170,7 @@
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
+archive u:object_r:archive_service:s0
attestation_verification u:object_r:attestation_verification_service:s0
blob_store u:object_r:blob_store_service:s0
gsiservice u:object_r:gsi_service:s0
@@ -228,6 +246,7 @@
external_vibrator_service u:object_r:external_vibrator_service:s0
ethernet u:object_r:ethernet_service:s0
face u:object_r:face_service:s0
+feature_flags u:object_r:feature_flags_service:s0
file_integrity u:object_r:file_integrity_service:s0
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
@@ -315,6 +334,7 @@
oem_lock u:object_r:oem_lock_service:s0
ondevicepersonalization_system_service u:object_r:ondevicepersonalization_system_service:s0
otadexopt u:object_r:otadexopt_service:s0
+ot_daemon u:object_r:ot_daemon_service:s0
overlay u:object_r:overlay_service:s0
pac_proxy u:object_r:pac_proxy_service:s0
package u:object_r:package_service:s0
@@ -342,6 +362,7 @@
rcs u:object_r:radio_service:s0
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
+remote_auth u:object_r:remote_auth_service:s0
remote_provisioning u:object_r:remote_provisioning_service:s0
resolver u:object_r:resolver_service:s0
resources u:object_r:resources_manager_service:s0
@@ -359,6 +380,7 @@
search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
+security_state u:object_r:security_state_service:s0
selection_toolbar u:object_r:selection_toolbar_service:s0
sensorservice u:object_r:sensorservice_service:s0
sensor_privacy u:object_r:sensor_privacy_service:s0
@@ -406,10 +428,12 @@
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
thermalservice u:object_r:thermal_service:s0
+thread_network u:object_r:threadnetwork_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
+tv_ad u:object_r:tv_ad_service:s0
tv_interactive_app u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
@@ -424,7 +448,9 @@
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
+virtual_camera u:object_r:virtual_camera_service:s0
virtualdevice u:object_r:virtual_device_service:s0
+virtualdevice_native u:object_r:virtual_device_native_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
diff --git a/private/shell.te b/private/shell.te
index 181963c..f32395e 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -132,6 +132,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
@@ -156,6 +159,8 @@
# Allow shell to start/stop traced via the persist.traced.enable
# property (which also takes care of /data/misc initialization).
set_prop(shell, traced_enabled_prop)
+# adjust SELinux audit rates
+set_prop(shell, logd_auditrate_prop)
# adjust is_loggable properties
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
@@ -247,4 +252,9 @@
# Allow shell to set persist.sysui.notification.builder_extras_override property
userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
+# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
+userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
+
+# Allow shell to read the build properties for attestation feature
+get_prop(shell, build_attestation_prop)
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 797a6c2..8cd9e63 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -57,6 +57,13 @@
allow snapuserd ota_metadata_file:dir rw_dir_perms;
allow snapuserd ota_metadata_file:file create_file_perms;
+# write to /data/misc/snapuserd_log
+allow snapuserd snapuserd_log_data_file:dir create_dir_perms;
+allow snapuserd snapuserd_log_data_file:file create_file_perms;
+
+# Read /proc/stat to determine boot time
+allow snapuserd proc_stat:file r_file_perms;
+
# This capability allows snapuserd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
allow snapuserd self:capability ipc_lock;
diff --git a/private/system_app.te b/private/system_app.te
index e2bec30..31e10bb 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -52,6 +52,7 @@
set_prop(system_app, usb_control_prop)
set_prop(system_app, usb_prop)
set_prop(system_app, log_tag_prop)
+set_prop(system_app, drm_forcel3_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app usb_control_prop:property_service set;
@@ -66,6 +67,9 @@
# Allow developer settings to query gsid status
get_prop(system_app, gsid_prop)
+# Allow developer settings to check 16k pages boot option status
+get_prop(system_app, enable_16k_pages_prop)
+
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
@@ -114,29 +118,10 @@
# suppress denials caused by debugfs_tracing
dontaudit system_app debugfs_tracing:file rw_file_perms;
-# Ignore access to zram when Debug.getMemInfo is called.
+# Ignore access to memory properties for Settings.
+dontaudit system_app proc_pagetypeinfo:file r_file_perms;
dontaudit system_app sysfs_zram:dir search;
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
allow system_app keystore:keystore2_key {
delete
get_info
@@ -174,12 +159,18 @@
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# allow system apps to read game manager related sysrops
+get_prop(system_app, game_manager_config_prop)
+
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
# Settings app reads ro.usb.uvc.enabled
get_prop(system_app, usb_uvc_enabled_prop)
+# Settings and Launcher apps read pm.archiving.enabled
+get_prop(system_app, pm_archiving_enabled_prop)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 98d859c..474a7b6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -147,9 +147,6 @@
sys_tty_config
};
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
# Allow alarmtimers to be set
allow system_server self:global_capability2_class_set wake_alarm;
@@ -296,10 +293,12 @@
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, ot_daemon)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
+binder_call(system_server, virtual_camera)
binder_call(system_server, vold)
binder_call(system_server, logd)
binder_call(system_server, wificond)
@@ -308,6 +307,7 @@
# Use HALs
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_audio)
+hal_client_domain(system_server, hal_authgraph)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
@@ -330,9 +330,11 @@
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
hal_client_domain(system_server, hal_rebootescrow)
+hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
hal_client_domain(system_server, hal_sensors)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
+hal_client_domain(system_server, hal_threadnetwork)
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_hdmi_cec)
hal_client_domain(system_server, hal_tv_hdmi_connection)
@@ -386,6 +388,7 @@
mediatuner
netd
sdcardd
+ servicemanager
statsd
surfaceflinger
vold
@@ -478,6 +481,8 @@
allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
allow system_server uhid_device:chr_file rw_file_perms;
+allow system_server hidraw_device:dir r_dir_perms;
+allow system_server hidraw_device:chr_file rw_file_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
@@ -742,6 +747,7 @@
set_prop(system_server, cppreopt_prop)
# server configurable flags properties
+set_prop(system_server, device_config_core_experiments_team_internal_prop)
set_prop(system_server, device_config_edgetpu_native_prop)
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
@@ -763,6 +769,7 @@
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
+set_prop(system_server, device_config_aconfig_flags_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
set_prop(system_server, device_config_vendor_system_native_boot_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
@@ -773,6 +780,9 @@
set_prop(system_server, smart_idle_maint_enabled_prop)
set_prop(system_server, arm64_memtag_prop)
+# staged flag properties
+set_prop(system_server, next_boot_prop)
+
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
get_prop(system_server, device_config_runtime_native_prop)
@@ -843,6 +853,8 @@
# Read persist.sysui.notification.builder_extras_override property
get_prop(system_server, persist_sysui_builder_extras_prop)
+# Read persist.sysui.notification.ranking_update_ashmem property
+get_prop(system_server, persist_sysui_ranking_update_prop)
# Read ro.tuner.lazyhal
get_prop(system_server, tuner_config_prop)
@@ -852,6 +864,10 @@
# Allow the heap dump ART plugin to the count of sessions waiting for OOME
get_prop(system_server, traced_oome_heap_session_count_prop)
+# Allow the sensor service (running in the system service) to read sensor
+# configuration properties
+get_prop(system_server, sensors_config_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -917,6 +933,9 @@
allow system_server sysfs_zram:dir search;
allow system_server sysfs_zram:file rw_file_perms;
+# Read /sys/fs/selinux/policy
+allow system_server kernel:security read_policy;
+
add_service(system_server, system_server_service);
allow system_server artd_service:service_manager find;
allow system_server audioserver_service:service_manager find;
@@ -947,11 +966,13 @@
allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
+allow system_server ot_daemon_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
+allow system_server virtual_camera_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
allow system_server logd_service:service_manager find;
@@ -961,34 +982,13 @@
add_service(system_server, batteryproperties_service)
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
allow system_server keystore:keystore2 {
add_auth
change_password
change_user
clear_ns
clear_uid
- get_state
+ get_last_auth_time
lock
pull_metrics
reset
@@ -1040,7 +1040,8 @@
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
# Create new process groups and clean up old cgroups
-allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup:dir create_dir_perms;
+allow system_server cgroup:file setattr;
allow system_server cgroup_v2:dir create_dir_perms;
allow system_server cgroup_v2:file { r_file_perms setattr };
@@ -1105,12 +1106,11 @@
allow system_server toolbox_exec:file rx_file_perms;
# Allow system process to setup fs-verity
-allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
+allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
-# Allow system process to measure fs-verity for apps, apps being installed and system files
-allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
+# Allow system process to measure fs-verity for apps, including those being installed
+allowxperm system_server { apk_data_file apk_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
allowxperm system_server apk_tmp_file:file ioctl FS_IOC_SETFLAGS;
-allow system_server system_file:file ioctl;
# Postinstall
#
@@ -1137,6 +1137,7 @@
allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
+r_dir_file(system_server, proc_memhealth)
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
@@ -1189,6 +1190,9 @@
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
+# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
+# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
+dontaudit system_server self:key_socket getopt;
# Allow system_server to start clatd in its own domain and kill it.
domain_auto_trans(system_server, clatd_exec, clatd)
@@ -1307,6 +1311,7 @@
-system_server
-flags_health_check
} {
+ device_config_core_experiments_team_internal_prop
device_config_activity_manager_native_boot_prop
device_config_connectivity_prop
device_config_input_native_boot_prop
@@ -1323,8 +1328,10 @@
device_config_surface_flinger_native_boot_prop
device_config_sys_traced_prop
device_config_swcodec_native_prop
+ device_config_aconfig_flags_prop
device_config_window_manager_native_boot_prop
device_config_tethering_u_or_later_native_prop
+ next_boot_prop
}:property_service set;
# Only allow system_server and init to set tuner_server_ctl_prop
@@ -1441,6 +1448,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server repair_mode_metadata_file:dir rw_dir_perms;
+allow system_server repair_mode_metadata_file:file create_file_perms;
+
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
allow system_server gsi_persistent_data_file:file create_file_perms;
@@ -1540,5 +1550,16 @@
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
+# Allow reading /system/etc/font_fallback.xml
+allow system_server system_font_fallback_file:file r_file_perms;
+
# Allow system server to set dynamic ART properties.
set_prop(system_server, dalvik_dynamic_config_prop)
+
+# Allow system server to read binderfs
+allow system_server binderfs_logs:dir r_dir_perms;
+allow system_server binderfs_logs_stats:file r_file_perms;
+
+# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
+set_prop(system_server, game_manager_config_prop)
+
diff --git a/private/system_suspend.te b/private/system_suspend.te
index bef7c6d..683d913 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -37,6 +37,9 @@
allow system_suspend sysfs_wake_lock:file rw_file_perms;
allow system_suspend self:global_capability2_class_set block_suspend;
+# Allow init to set /sys/power/sync_on_suspend.
+allow init sysfs_sync_on_suspend:file w_file_perms;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/traced.te b/private/traced.te
index fc75239..d4e5bec 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -52,6 +52,11 @@
userdebug_or_eng(`system_server_tmpfs')
}:file { getattr map read write };
+# Allow setting debug properties which guard initialization of the Perfetto SDK
+# in SurfaceFlinger and HWUI's copy of Skia.
+# Required for the android.sdk_sysprop_guard data source.
+# TODO(b/281329340): remove this when no longer needed.
+set_prop(traced, debug_prop)
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 640b054..c7e81cd 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -58,7 +58,7 @@
dontaudit traced_perf domain:process signal;
# Never allow access to app data files
-neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
+neverallow traced_perf app_data_file_type:file *;
# Never allow profiling privileged or otherwise incompatible domains.
# Corresponding allow-rule is in private/domain.te.
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 2937e26..a743917 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -10,6 +10,8 @@
allow traceur_app trace_data_file:file create_file_perms;
allow traceur_app trace_data_file:dir rw_dir_perms;
+allow traceur_app wm_trace_data_file:dir rw_dir_perms;
+allow traceur_app wm_trace_data_file:file { getattr r_file_perms unlink };
allow traceur_app atrace_exec:file rx_file_perms;
# To exec the perfetto cmdline client and pass it the trace config on
diff --git a/private/update_engine.te b/private/update_engine.te
index 8d6341c..c9511f7 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -14,6 +14,7 @@
# Allow to set the OTA related properties, e.g. ota.warm_reset.
set_prop(update_engine, ota_prop)
+get_prop(update_engine, ota_build_prop)
# Allow to get the DSU status
get_prop(update_engine, gsid_prop)
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 706a6ca..963809e 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te
@@ -1,24 +1,37 @@
-# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
-# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
-type vfio_handler, domain, coredomain;
-type vfio_handler_exec, system_file_type, exec_type, file_type;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
+ # vfio_handler is separate from virtualizationservice as VFIO tasks require root.
+ type vfio_handler, domain, coredomain;
+ type vfio_handler_exec, system_file_type, exec_type, file_type;
-# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
-init_daemon_domain(vfio_handler)
+ # When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
+ init_daemon_domain(vfio_handler)
-# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
-add_service(vfio_handler, vfio_handler_service)
+ # Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
+ add_service(vfio_handler, vfio_handler_service)
-# Let the vfio_handler domain use Binder.
-binder_use(vfio_handler)
+ # Let the vfio_handler domain use Binder.
+ binder_use(vfio_handler)
-# Allow vfio_handler to check if VFIO is supported
-allow vfio_handler vfio_device:chr_file getattr;
-allow vfio_handler vfio_device:dir r_dir_perms;
+ # Allow vfio_handler to check if VFIO is supported
+ allow vfio_handler vfio_device:chr_file getattr;
+ allow vfio_handler vfio_device:dir r_dir_perms;
-# Allow vfio_handler to bind/unbind platform devices
-allow vfio_handler sysfs:dir r_dir_perms;
-allow vfio_handler sysfs:file rw_file_perms;
+ # Allow vfio_handler to bind/unbind platform devices
+ allow vfio_handler sysfs:dir r_dir_perms;
+ allow vfio_handler sysfs:file rw_file_perms;
-# Only vfio_handler can add vfio_handler_service
-neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
+ # Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
+ allow vfio_handler virtualizationservice:fd use;
+ allow vfio_handler virtualizationservice_data_file:file write;
+
+ # vfio_handler can only use fd from virtualizationservice, and cannot open files itself
+ neverallow vfio_handler virtualizationservice_data_file:file { open create };
+
+ # Allow vfio_handler to search /dev/block for accessing dtbo.img
+ allow vfio_handler block_device:dir search;
+ allow vfio_handler dtbo_block_device:blk_file r_file_perms;
+
+ # Only vfio_handler can add vfio_handler_service
+ neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
+') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT)
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
new file mode 100644
index 0000000..4c4ac7a
--- /dev/null
+++ b/private/virtual_camera.te
@@ -0,0 +1,37 @@
+# virtual_camera - virtual camera daemon
+
+type virtual_camera, domain, coredomain;
+type virtual_camera_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(virtual_camera)
+
+# Since virtual_camera is not a real HAL we don't set the
+# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
+# we actually need from halserverdomain and hal_camera_server:
+binder_use(virtual_camera)
+binder_call(virtual_camera, cameraserver)
+binder_call(virtual_camera, system_server)
+
+
+# Allow virtualCamera to call apps via binder.
+binder_call(virtual_camera, appdomain)
+
+# Allow virtual_camera to use fd from apps
+allow virtual_camera { appdomain -isolated_app }:fd use;
+
+# Only allow virtual_camera to add a virtual_camera_service and no one else.
+add_service(virtual_camera, virtual_camera_service);
+
+# Allow virtual_camera to map graphic buffers
+hal_client_domain(virtual_camera, hal_graphics_allocator)
+
+# Allow virtual_camera to use GPU
+allow virtual_camera gpu_device:chr_file rw_file_perms;
+allow virtual_camera gpu_device:dir r_dir_perms;
+
+# For collecting bugreports.
+allow virtual_camera dumpstate:fd use;
+allow virtual_camera dumpstate:fifo_file write;
+
+# Needed for permission checks.
+allow virtual_camera permission_service:service_manager find;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 70338ff..40d95c6 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -5,7 +5,10 @@
# Allow virtualizationmanager to communicate use, read and write over the adb connection.
allow virtualizationmanager adbd:fd use;
-allow virtualizationmanager adbd:unix_stream_socket { read write };
+allow virtualizationmanager adbd:unix_stream_socket { getattr read write };
+
+# Allow writing VM logs to the shell console
+allow virtualizationmanager devpts:chr_file { read write getattr ioctl };
# Let the virtualizationmanager domain use Binder.
binder_use(virtualizationmanager)
@@ -37,6 +40,7 @@
allow virtualizationmanager {
app_data_file
apex_compos_data_file
+ apex_virt_data_file
privapp_data_file
}:file { getattr read write };
@@ -62,6 +66,16 @@
get_prop(virtualizationmanager, hypervisor_prop)
get_prop(virtualizationmanager, hypervisor_restricted_prop)
+# Allow virtualizationmanager to be read custom pvmfw.img configuration
+userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_pvmfw_prop)')
+dontaudit virtualizationmanager hypervisor_pvmfw_prop:file read;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_pvmfw_prop:file no_rw_file_perms;
+
+# Allow virtualizationmanager to be read custom virtualizationmanager configuration
+userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_virtualizationmanager_prop)')
+dontaudit virtualizationmanager hypervisor_virtualizationmanager_prop:file read;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
+
# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
@@ -80,13 +94,16 @@
allow virtualizationmanager shell_data_file:file open;
')
+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
+# Do not allow writing vendor_microdroid_file from any process.
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:dir no_w_dir_perms;
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:file no_w_file_perms;
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
# a harmless denial for CompOS log files, so ignore that.
dontaudit virtualizationmanager apex_module_data_file:dir search;
-
-# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler.
-allow virtualizationmanager vfio_handler:fd use;
-allow virtualizationmanager vfio_handler:fifo_file r_file_perms;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index a4588dc..e17797e 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,9 +15,15 @@
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
-# Let virtualizationservice find and communicate with vfio_handler.
-allow virtualizationservice vfio_handler_service:service_manager find;
-binder_call(virtualizationservice, vfio_handler)
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # Let virtualizationservice find and communicate with vfio_handler.
+ allow virtualizationservice vfio_handler_service:service_manager find;
+ binder_call(virtualizationservice, vfio_handler)
+')
+
+# Allow the virtualizationservice domain to serve a remotely provisioned component for
+# pVM remote attestation.
+hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
@@ -34,13 +40,23 @@
# Let virtualizationservice create and delete temporary directories of VMs. To remove old
# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
+allow virtualizationservice virtualizationservice_data_file:sock_file unlink;
+allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
allow virtualizationservice adbd:unix_stream_socket { read write };
+# Allow to connnect to and run VirtMgr to start the service VM for remote attestation.
+virtualizationservice_use(virtualizationservice)
+
+# Allow virtualizationservice to read and write in the apex data directory
+# /data/misc/apexdata/com.android.virt
+allow virtualizationservice apex_module_data_file:dir search;
+allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
+allow virtualizationservice apex_virt_data_file:file create_file_perms;
+
# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
@@ -62,9 +78,11 @@
allow virtualizationservice vfio_device:chr_file getattr;
allow virtualizationservice vfio_device:dir r_dir_perms;
-# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler.
-allow virtualizationservice vfio_handler:fd use;
-allow virtualizationservice vfio_handler:fifo_file r_file_perms;
+# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
+allow virtualizationservice virtualizationmanager:fd use;
+
+# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices.
+r_dir_file(virtualizationservice, vendor_configs_file)
neverallow {
domain
@@ -85,5 +103,7 @@
-virtualizationservice
}:process setrlimit;
-# Only virtualizationservice can communicate to vfio_handler
-neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # Only virtualizationservice can communicate to vfio_handler
+ neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+')
diff --git a/private/vold.te b/private/vold.te
index 957e5d0..4256ac3 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -7,6 +7,10 @@
domain_auto_trans(vold, sdcardd_exec, sdcardd);
domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
+# Switch to e2fs domain when running mkfs.ext4 to format a partition
+domain_auto_trans(vold, e2fs_exec, e2fs);
+
+
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, blkid_exec, blkid);
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3473eca..7b05af2 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -35,6 +35,9 @@
allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
allow webview_zygote apex_module_data_file:dir search;
+# To load overlay from /apex (vendor APEXes)
+allow webview_zygote vendor_apex_metadata_file:dir search;
+
# Allow webview_zygote to create JIT memory.
allow webview_zygote self:process execmem;
@@ -80,6 +83,8 @@
allow webview_zygote system_data_file:lnk_file r_file_perms;
+allow webview_zygote properties_device:dir mounton;
+
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
diff --git a/private/zygote.te b/private/zygote.te
index be94a52..4815ecc 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -76,6 +76,8 @@
user_profile_data_file
# /storage/emulated/$userId/Android/{data,obb}
media_rw_data_file
+ # /dev/__properties__
+ properties_device
}:dir { mounton search };
# Traverse /data_mirror to get to the above directories while their normal paths
@@ -247,9 +249,11 @@
# preloaded classes
get_prop(zygote, persist_wm_debug_prop)
-# Allow zygote to read persist_sysui_builder_extras_prop to toggle experimental features in
-# core preloaded classes
+# Allow zygote to read persist_sysui_builder_extras_prop
+# and persist_sysui_ranking_update_prop
+# to toggle experimental features in core preloaded classes
get_prop(zygote, persist_sysui_builder_extras_prop)
+get_prop(zygote, persist_sysui_ranking_update_prop)
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
@@ -263,6 +267,9 @@
# Allow zygote to query for compression/features.
r_dir_file(zygote, sysfs_fs_f2fs)
+# Allow zygote to read fonts_customization.xml for preloading font files that matches device locale.
+allow zygote system_font_fallback_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/app.te b/public/app.te
index da59f32..b539913 100644
--- a/public/app.te
+++ b/public/app.te
@@ -89,7 +89,7 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
+neverallow appdomain system_file_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to entrypoint executables.
@@ -110,9 +110,6 @@
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
apk_private_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
@@ -139,11 +136,15 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
{ apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
# Access to factory files.
neverallow appdomain efs_file:dir_file_class_set write;
diff --git a/public/attributes b/public/attributes
index 16a8e66..759b773 100644
--- a/public/attributes
+++ b/public/attributes
@@ -221,7 +221,8 @@
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
-# All domains used for binder service domains.
+# Specific domains that expose a binder service.
+# Deprecated, consider granting the exact permissions required by your service.
attribute binderservicedomain;
# All domains which have BPF access.
@@ -330,6 +331,7 @@
hal_attribute(atrace);
hal_attribute(audio);
hal_attribute(audiocontrol);
+hal_attribute(authgraph);
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(bootctl);
@@ -363,6 +365,7 @@
hal_attribute(keymint);
hal_attribute(light);
hal_attribute(lowpan);
+hal_attribute(macsec);
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
@@ -373,11 +376,14 @@
hal_attribute(power_stats);
hal_attribute(rebootescrow);
hal_attribute(remoteaccess);
+hal_attribute(secretkeeper);
+hal_attribute(remotelyprovisionedcomponent_avf);
hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
hal_attribute(tetheroffload);
hal_attribute(thermal);
+hal_attribute(threadnetwork);
hal_attribute(tv_cec);
hal_attribute(tv_hdmi_cec);
hal_attribute(tv_hdmi_connection);
diff --git a/public/cameraserver.te b/public/cameraserver.te
index c88e3f0..8a4016c 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -37,6 +37,7 @@
allow cameraserver hidl_token_hwservice:hwservice_manager find;
allow cameraserver hal_camera_service:service_manager find;
+allow cameraserver virtual_camera_service:service_manager find;
# Allow to talk with surfaceflinger through unix stream socket
allow cameraserver surfaceflinger:unix_stream_socket { read write };
diff --git a/public/device.te b/public/device.te
index 36299d3..f842d33 100644
--- a/public/device.te
+++ b/public/device.te
@@ -64,6 +64,7 @@
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
+type hidraw_device, dev_type;
# All devices have a uart for the hci
# attach service. The uart dev node
@@ -93,6 +94,10 @@
# Documented at https://source.android.com/devices/bootloader/partitions
type boot_block_device, dev_type;
+# dtbo block device, type used for getting DTBO information for AVF.
+# Documented at https://source.android.com/docs/core/architecture/dto/partitions
+type dtbo_block_device, dev_type;
+
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 86f1eb1..d189c89 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -23,6 +23,3 @@
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
-
-# sometimes a network device vanishes and we try to load module netdev-{devicename}
-dontaudit dnsmasq kernel:system module_request;
diff --git a/public/domain.te b/public/domain.te
index 0b06421..d630a24 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -57,6 +57,9 @@
allow domain method_trace_data_file:file create_file_perms;
')
+# Allow everyone to read aconfig flags
+get_prop(domain, device_config_aconfig_flags_prop);
+
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
@@ -437,6 +440,10 @@
neverallow * init:binder *;
neverallow * vendor_init:binder *;
+# Binderfs logs contain sensitive information about other processes.
+neverallow { domain -dumpstate -init -vendor_init userdebug_or_eng(`-domain') } { binderfs_logs binderfs_logs_proc }:file no_rw_file_perms;
+neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_stats:file no_rw_file_perms;
+
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
@@ -579,7 +586,6 @@
-init
-recovery
-system_server
- -shell # Shell is further restricted in shell.te
-ueventd # Further restricted in ueventd.te
} frp_block_device:blk_file no_rw_file_perms;
@@ -1057,6 +1063,7 @@
neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;
+neverallow { domain -init -zygote } proc_type:{ file dir } mounton;
# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
@@ -1289,7 +1296,3 @@
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
-
-# Allow everyone to read media server-configurable flags, so that libstagefright can be
-# configured using server-configurable flags
-get_prop(domain, device_config_media_native_prop)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 58d6efa..549e6c6 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -56,7 +56,7 @@
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server zygote }:process signal;
+allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
# Signal native processes to dump their stack.
allow dumpstate {
@@ -146,11 +146,12 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
+binder_call(dumpstate, { appdomain artd netd wificond })
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_audio)
dump_hal(hal_audiocontrol)
+dump_hal(hal_authgraph)
dump_hal(hal_authsecret)
dump_hal(hal_bluetooth)
dump_hal(hal_broadcastradio)
@@ -177,6 +178,7 @@
dump_hal(hal_power)
dump_hal(hal_power_stats)
dump_hal(hal_rebootescrow)
+dump_hal(hal_secretkeeper)
dump_hal(hal_sensors)
dump_hal(hal_thermal)
dump_hal(hal_vehicle)
@@ -259,6 +261,9 @@
# Access /data/misc/update_engine & /data/misc/update_engine_log
allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
+# Access /data/misc/snapuserd_log
+allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
+allow dumpstate snapuserd_log_data_file:file r_file_perms;
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
@@ -376,6 +381,7 @@
allow dumpstate binderfs_logs:dir r_dir_perms;
allow dumpstate binderfs_logs:file r_file_perms;
allow dumpstate binderfs_logs_proc:file r_file_perms;
+allow dumpstate binderfs_logs_stats:file r_file_perms;
use_apex_info(dumpstate)
diff --git a/public/e2fs.te b/public/e2fs.te
index 6bce10f..973abb9 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -9,6 +9,12 @@
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
allow e2fs zoned_block_device:blk_file rw_file_perms;
+# Vold needs to capture mkfs.ext4's output
+allow e2fs vold:fd use;
+# Need to be able to format a partition
+allow e2fs sysfs_dm:dir r_dir_perms;
+allow e2fs sysfs_dm:file r_file_perms;
+
allowxperm e2fs { userdata_block_device metadata_block_device dm_device zoned_block_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
};
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 8452b97..788a76f 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -87,7 +87,6 @@
allow fastbootd cache_file:dir search;
allow fastbootd proc_filesystems:file { getattr open read };
allow fastbootd self:capability sys_rawio;
- dontaudit fastbootd kernel:system module_request;
allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
allow fastbootd {
diff --git a/public/file.te b/public/file.te
index 9d43ccb..01143f7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -7,6 +7,7 @@
type binderfs, fs_type;
type binderfs_logs, fs_type;
type binderfs_logs_proc, fs_type;
+type binderfs_logs_stats, fs_type;
type binderfs_features, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
@@ -15,6 +16,7 @@
type proc_min_free_order_shift, fs_type, proc_type;
type proc_kpageflags, fs_type, proc_type;
type proc_watermark_boost_factor, fs_type, proc_type;
+type proc_percpu_pagelist_high_fraction, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -46,6 +48,7 @@
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
+type proc_memhealth, fs_type, proc_type;
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
@@ -115,6 +118,7 @@
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
+type sysfs_sync_on_suspend, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
type sysfs_lru_gen_enabled, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
@@ -251,6 +255,9 @@
# Type for all vendor public libraries for system. These libs should only be exposed to
# system. ABI stability of these libs is vendor's responsibility.
type vendor_public_framework_file, vendor_file_type, file_type;
+# Type for all microdroid related files in the vendor partition.
+# Files having this type should be read-only.
+type vendor_microdroid_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
@@ -287,6 +294,8 @@
type staged_install_file, file_type;
# Metadata information within /metadata/watchdog
type watchdog_metadata_file, file_type;
+# Repair mode files within /metadata/repair-mode
+type repair_mode_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -462,6 +471,7 @@
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
+type snapuserd_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 8cf2411..eab38dd 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -17,7 +17,6 @@
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index d48c5f8..0035bc6 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -22,7 +22,6 @@
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
allow gatekeeperd keystore:keystore2 { add_auth };
allow gatekeeperd authorization_service:service_manager find;
diff --git a/public/hal_authgraph.te b/public/hal_authgraph.te
new file mode 100644
index 0000000..f053cb0
--- /dev/null
+++ b/public/hal_authgraph.te
@@ -0,0 +1,7 @@
+binder_call(hal_authgraph_client, hal_authgraph_server)
+
+hal_attribute_service(hal_authgraph, hal_authgraph_service)
+binder_call(hal_authgraph_server, servicemanager)
+
+allow hal_authgraph_server tee_device:chr_file rw_file_perms;
+allow hal_authgraph_server ion_device:chr_file r_file_perms;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index a379bb3..60cda48 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -7,6 +7,7 @@
binder_call(hal_codec2_server, hal_codec2_client)
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+hal_attribute_service(hal_codec2, hal_codec2_service)
# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.
@@ -25,3 +26,7 @@
allow hal_codec2_client ion_device:chr_file r_file_perms;
+# codec2 aidl graphic buffer allocation waitable object
+allow hal_codec2_server su:fifo_file read;
+allow hal_codec2_server mediaserver:fifo_file read;
+allow hal_codec2_server untrusted_app_all:fifo_file read;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 43d0a7c..0ee0c5f 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -12,7 +12,9 @@
allow hal_drm self:process execmem;
# Permit reading device's serial number from system properties
-get_prop(hal_drm, serialno_prop)
+get_prop(hal_drm_server, serialno_prop)
+# Permit reading force L3 system property
+get_prop(hal_drm_server, drm_forcel3_prop)
# Read files already opened under /data
allow hal_drm system_data_file:file { getattr read };
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 193b05a..eaa223b 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -9,6 +9,8 @@
binder_call(hal_dumpstate_server, servicemanager)
+binder_use(hal_dumpstate_server)
+
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
diff --git a/public/hal_face.te b/public/hal_face.te
index 0134576..e14666a 100644
--- a/public/hal_face.te
+++ b/public/hal_face.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_face, hal_face_hwservice)
hal_attribute_service(hal_face, hal_face_service)
-binder_call(hal_face_server, servicemanager)
+binder_use(hal_face_server)
# Allow access to the ion memory allocation device.
allow hal_face ion_device:chr_file r_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 832bc8d..59a6df8 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -4,6 +4,6 @@
hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
hal_attribute_service(hal_gnss, hal_gnss_service)
-binder_call(hal_gnss_server, servicemanager)
-binder_call(hal_gnss_client, servicemanager)
+binder_use(hal_gnss_server)
+binder_use(hal_gnss_client)
diff --git a/public/hal_macsec.te b/public/hal_macsec.te
new file mode 100644
index 0000000..27225db
--- /dev/null
+++ b/public/hal_macsec.te
@@ -0,0 +1,7 @@
+# Binder IPC from client to server, and callbacks
+binder_call(hal_macsec_client, hal_macsec_server)
+binder_call(hal_macsec_server, hal_macsec_client)
+
+hal_attribute_service(hal_macsec, hal_macsec_service)
+
+binder_use(hal_macsec_server)
diff --git a/public/hal_remotelyprovisionedcomponent_avf.te b/public/hal_remotelyprovisionedcomponent_avf.te
new file mode 100644
index 0000000..8cc7ce5
--- /dev/null
+++ b/public/hal_remotelyprovisionedcomponent_avf.te
@@ -0,0 +1,8 @@
+# allow binder connection from client to server
+binder_call(hal_remotelyprovisionedcomponent_avf_client, hal_remotelyprovisionedcomponent_avf_server)
+
+# allow client to find the service, allow server to register the service
+hal_attribute_service(hal_remotelyprovisionedcomponent_avf, hal_remotelyprovisionedcomponent_avf_service)
+
+# allow binder communication from server to service_manager
+binder_use(hal_remotelyprovisionedcomponent_avf_server)
diff --git a/public/hal_secretkeeper.te b/public/hal_secretkeeper.te
new file mode 100644
index 0000000..359159f
--- /dev/null
+++ b/public/hal_secretkeeper.te
@@ -0,0 +1,12 @@
+# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)
+# storage of secrets guarded by DICE policies.
+binder_call(hal_secretkeeper_client, hal_secretkeeper_server)
+
+hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)
+
+binder_use(hal_secretkeeper_server)
+binder_use(hal_secretkeeper_client)
+
+# The Secretkeeper HAL service needs to communicate with a trusted application running
+# in the TEE, which is represented by the tee_device permission.
+allow hal_secretkeeper_server tee_device:chr_file rw_file_perms;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index e21796a..306d459 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -8,7 +8,6 @@
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allow hal_telephony_server kernel:system module_request;
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/hal_threadnetwork.te b/public/hal_threadnetwork.te
new file mode 100644
index 0000000..1f0745b
--- /dev/null
+++ b/public/hal_threadnetwork.te
@@ -0,0 +1,7 @@
+binder_call(hal_threadnetwork_client, hal_threadnetwork_server)
+binder_call(hal_threadnetwork_server, hal_threadnetwork_client)
+
+hal_attribute_service(hal_threadnetwork, hal_threadnetwork_service)
+
+binder_call(hal_threadnetwork_server, servicemanager)
+binder_call(hal_threadnetwork_client, servicemanager)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index c902495..6909ff2 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -12,3 +12,6 @@
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
allow hal_vibrator sysfs_vibrator:dir search;
+
+# Allow HAL vibrator to control some parameters of a vibration, such as scaling.
+allow hal_vibrator fwk_vibrator_control_service:service_manager find;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index b531a22..498469d 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -11,7 +11,6 @@
r_dir_file(hal_wifi_supplicant, sysfs_type)
r_dir_file(hal_wifi_supplicant, proc_net_type)
-allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
diff --git a/public/init.te b/public/init.te
index a399b3a..29dd42d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -26,7 +26,7 @@
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/event-log-tags
@@ -56,6 +56,7 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+allow init dtbo_block_device:lnk_file relabelto;
allow init super_block_device:lnk_file relabelto;
# Create /mnt/sdcard -> /storage/self/primary symlink.
@@ -660,7 +661,7 @@
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
-neverallow init { app_data_file privapp_data_file }:lnk_file read;
+neverallow init app_data_file_type:lnk_file read;
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
diff --git a/public/installd.te b/public/installd.te
index 216704d..88f6aab 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -33,6 +33,8 @@
r_dir_file(installd, vendor_framework_file)
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
r_dir_file(installd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow installd vendor_apex_metadata_file:dir { getattr search };
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
diff --git a/public/logd.te b/public/logd.te
index 8187179..aaf3900 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -57,10 +57,15 @@
neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
+neverallow logd system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
+neverallow logd {
+ app_data_file_type
+ system_data_file
+ packages_list_file
+ -shell_data_file # for bugreports
+}:dir_file_class_set write;
# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
diff --git a/public/logpersist.te b/public/logpersist.te
index c8e6af4..f2e856b 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -17,7 +17,7 @@
neverallow logpersist domain:process ptrace;
# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+neverallow logpersist { app_data_file_type system_data_file }:dir_file_class_set write;
# Only init should be allowed to enter the logpersist domain via exec()
# Following is a list of debug domains we know that transition to logpersist
@@ -28,3 +28,8 @@
# -system_app # Smith.apk
# } logpersist:process transition;
neverallow * logpersist:process dyntransition;
+
+allowxperm logpersist misc_logd_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+};
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index edbab03..b3b26c1 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -21,7 +21,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
+neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/netd.te b/public/netd.te
index e3ea1cb..41ae9ec 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -80,7 +80,7 @@
allow netd system_file:file lock;
# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process signal;
+allow netd dnsmasq:process { sigkill signal };
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
@@ -129,7 +129,7 @@
neverallow netd { domain }:process ptrace;
# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
+neverallow netd system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
@@ -185,6 +185,4 @@
# (things it requires should be built directly into the kernel)
dontaudit netd self:capability sys_module;
-dontaudit netd kernel:system module_request;
-
dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/public/profman.te b/public/profman.te
index 727daee..85cdc1e 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -28,4 +28,4 @@
### neverallow rules
###
-neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow profman app_data_file_type:notdevfile_class_set open;
diff --git a/public/property.te b/public/property.te
index 323108e..b072b5b 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(composd_vm_art_prop)
+system_restricted_prop(device_config_aconfig_flags_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
system_restricted_prop(device_config_media_native_prop)
@@ -74,6 +75,7 @@
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_vendor_system_native_boot_prop)
+system_restricted_prop(drm_forcel3_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
@@ -102,7 +104,6 @@
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
-
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
system_restricted_prop(config_prop)
@@ -167,6 +168,7 @@
system_vendor_config_prop(mediadrm_config_prop)
system_vendor_config_prop(mm_events_config_prop)
system_vendor_config_prop(oem_unlock_prop)
+system_vendor_config_prop(ota_build_prop)
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(quick_start_prop)
system_vendor_config_prop(recovery_config_prop)
@@ -195,6 +197,8 @@
system_vendor_config_prop(dck_prop)
system_vendor_config_prop(tuner_config_prop)
system_vendor_config_prop(usb_uvc_enabled_prop)
+system_vendor_config_prop(setupwizard_mode_prop)
+system_vendor_config_prop(pm_archiving_enabled_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/public/racoon.te b/public/racoon.te
index e4b299e..b0383f0 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -13,7 +13,6 @@
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
allow racoon cgroup_v2:dir { add_name create };
-allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
@@ -26,10 +25,3 @@
allow racoon vpn_data_file:dir w_dir_perms;
use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index d4b4562..7224e87 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -25,8 +25,8 @@
neverallow recovery_persist domain:process ptrace;
# Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
+neverallow recovery_persist system_file_type:dir_file_class_set write;
# Write to files in /data/data
-neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;
diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index d6870dc..d20cd44 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -18,7 +18,7 @@
neverallow recovery_refresh domain:process ptrace;
# Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
+neverallow recovery_refresh system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;
diff --git a/public/service.te b/public/service.te
index b32314d..acbaf4d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -37,6 +37,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
+type ot_daemon_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
@@ -49,6 +50,7 @@
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
type virtualization_service, service_manager_type;
+type virtual_camera_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
@@ -69,6 +71,7 @@
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type archive_service, app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type attestation_verification_service, app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -114,7 +117,7 @@
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type domain_verification_service, app_api_service, system_server_service, service_manager_type;
-type color_display_service, system_api_service, system_server_service, service_manager_type;
+type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -133,6 +136,7 @@
type fwk_altitude_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;
+type fwk_vibrator_control_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type gnss_time_update_service, system_server_service, service_manager_type;
@@ -196,6 +200,7 @@
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_auth_service, app_api_service, system_server_service, service_manager_type;
type remote_provisioning_service, system_server_service, service_manager_type;
type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -208,6 +213,7 @@
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type security_state_service, app_api_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -233,10 +239,12 @@
type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type threadnetwork_service, app_api_service, system_server_service, service_manager_type;
type timedetector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_ad_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_iapp_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -251,6 +259,7 @@
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type virtual_device_service, app_api_service, system_server_service, service_manager_type;
+type virtual_device_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
@@ -273,6 +282,7 @@
type hal_audio_service, protected_service, hal_service_type, service_manager_type;
type hal_audiocontrol_service, hal_service_type, service_manager_type;
+type hal_authgraph_service, protected_service, hal_service_type, service_manager_type;
type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
@@ -280,6 +290,7 @@
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
+type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
@@ -299,6 +310,7 @@
type hal_ivn_service, protected_service, hal_service_type, service_manager_type;
type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
type hal_light_service, protected_service, hal_service_type, service_manager_type;
+type hal_macsec_service, protected_service, hal_service_type, service_manager_type;
type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
type hal_neuralnetworks_service, hal_service_type, service_manager_type;
type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
@@ -308,8 +320,10 @@
type hal_radio_service, protected_service, hal_service_type, service_manager_type;
type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_avf_service, protected_service, hal_service_type, service_manager_type;
type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
+type hal_secretkeeper_service, protected_service, hal_service_type, service_manager_type;
type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
@@ -320,6 +334,7 @@
type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_hdmi_earc_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
+type hal_threadnetwork_service, protected_service, hal_service_type, service_manager_type;
type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_service, protected_service, hal_service_type, service_manager_type;
type hal_usb_gadget_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index bcdc322..a893cdb 100644
--- a/public/su.te
+++ b/public/su.te
@@ -48,7 +48,6 @@
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
- dontaudit su keystore:keystore_key *;
dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
@@ -91,6 +90,7 @@
typeattribute su hal_oemlock_client;
typeattribute su hal_power_client;
typeattribute su hal_rebootescrow_client;
+ typeattribute su hal_secretkeeper_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client;
diff --git a/public/te_macros b/public/te_macros
index c4ebc63..d2f4406 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -440,8 +440,7 @@
#####################################
# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
+# Deprecated. Consider granting the exact permissions required by your service.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')
diff --git a/public/ueventd.te b/public/ueventd.te
index 094594b..3135a7f 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -69,6 +69,9 @@
allow ueventd dm_device:chr_file rw_file_perms;
allow ueventd self:capability sys_admin;
+# Allow ueventd to read apexd property
+get_prop(ueventd, apexd_prop)
+
#####
##### neverallow rules
#####
diff --git a/public/update_engine.te b/public/update_engine.te
index ab7090b..6f79902 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -29,9 +29,6 @@
allow update_engine update_engine_log_data_file:dir create_dir_perms;
allow update_engine update_engine_log_data_file:file create_file_perms;
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)
@@ -76,3 +73,7 @@
allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
allow update_engine snapshotctl_log_data_file:file create_file_perms;
')
+
+# Allow determining filesystems available on system.
+# Needed for checking if overlayfs is enabled
+allow update_engine proc_filesystems:file r_file_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 9dd9898..a9d1b5d 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -302,7 +302,7 @@
neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
+neverallow vendor_init app_data_file_type:lnk_file read;
neverallow vendor_init shell_data_file:lnk_file read;
# Init should not be creating subdirectories in /data/local/tmp
neverallow vendor_init shell_data_file:dir { write add_name remove_name };
diff --git a/public/vold.te b/public/vold.te
index 3d204e1..c0fdf50 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -177,10 +177,13 @@
allow vold labeledfs:filesystem { mount unmount remount };
# Create and mount on /data/tmp_mnt and management of expansion mounts
+#
+# Also rename per-user encrypted directories such as /data/user/10 from their
+# temporary name ("10.new") to their final name ("10").
allow vold {
system_data_file
system_data_root_file
-}:dir { create rw_dir_perms mounton setattr rmdir };
+}:dir { create_dir_perms mounton };
allow vold system_data_file:lnk_file getattr;
# Vold create users in /data/vendor_{ce,de}/[0-9]+
diff --git a/public/wificond.te b/public/wificond.te
index 98db0d7..1bd89f5 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -33,11 +33,8 @@
typeattribute wificond wifi_keystore_service_server;
add_hwservice(wificond, system_wifi_keystore_hwservice)
-# Allow keystore binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond keystore:keystore_key get;
-
# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
allow wificond wifi_key:keystore2_key {
get_info
use
diff --git a/tests/Android.bp b/tests/Android.bp
index cc0bdc1..743c856 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -50,9 +50,7 @@
},
libs: [
"mini_cil_parser",
- "pysepolwrap",
],
- data: [":libsepolwrap"],
}
python_binary_host {
@@ -146,3 +144,35 @@
name: "check_prop_prefix",
srcs: ["check_prop_prefix.py"],
}
+
+python_binary_host {
+ name: "sepolicy_freeze_test",
+ srcs: [
+ "sepolicy_freeze_test.py",
+ ],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
+ libs: [
+ "mini_cil_parser",
+ ],
+}
+
+python_test_host {
+ name: "policy_test",
+ srcs: [
+ "fc_sort.py",
+ "policy.py",
+ "policy_test.py",
+ ],
+ test_options: {
+ unit_test: true,
+ },
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
+}
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 2cdde3c..ab01745 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -59,13 +59,25 @@
Matcher = Is | Glob | Regex
@dataclass
-class AllowRead:
- """Rule checking if scontext can read the entity"""
+class AllowPerm:
+ """Rule checking if scontext has 'perm' to the entity"""
tclass: str
scontext: set[str]
+ perm: str
-Rule = AllowRead
+@dataclass
+class ResolveType:
+ """Rule checking if type can be resolved"""
+ pass
+
+
+Rule = AllowPerm | ResolveType
+
+
+# Helper for 'read'
+def AllowRead(tclass, scontext):
+ return AllowPerm(tclass, scontext, 'read')
def match_path(path: str, matcher: Matcher) -> bool:
@@ -81,19 +93,31 @@
def check_rule(pol, path: str, tcontext: str, rule: Rule) -> List[str]:
"""Returns error message if scontext can't read the target"""
+ errors = []
match rule:
- case AllowRead(tclass, scontext):
- te_rules = list(pol.QueryTERule(scontext=scontext,
- tcontext={tcontext},
- tclass={tclass},
- perms={'read'}))
- if len(te_rules) > 0:
- return [] # no errors
+ case AllowPerm(tclass, scontext, perm):
+ # Test every source in scontext(set)
+ for s in scontext:
+ te_rules = list(pol.QueryTERule(scontext={s},
+ tcontext={tcontext},
+ tclass={tclass},
+ perms={perm}))
+ if len(te_rules) > 0:
+ continue # no errors
- return [f"Error: {path}: {scontext} can't read. (tcontext={tcontext})"]
+ errors.append(f"Error: {path}: {s} can't {perm}. (tcontext={tcontext})")
+ case ResolveType():
+ if tcontext not in pol.GetAllTypes(False):
+ errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
+ return errors
-rules = [
+target_specific_rules = [
+ (Glob('*'), ResolveType()),
+]
+
+
+generic_rules = [
# permissions
(Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
(Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
@@ -104,11 +128,16 @@
(Glob('./etc/vintf/*.xml'), AllowRead('file', {'servicemanager', 'apexd'})),
# ./ and apex_manifest.pb
(Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
- (Is('./'), AllowRead('dir', {'linkerconfig', 'apexd'})),
+ (Is('./'), AllowPerm('dir', {'linkerconfig', 'apexd'}, 'search')),
+ # linker.config.pb
+ (Is('./etc/linker.config.pb'), AllowRead('file', {'linkerconfig'})),
]
-def check_line(pol: policy.Policy, line: str) -> List[str]:
+all_rules = target_specific_rules + generic_rules
+
+
+def check_line(pol: policy.Policy, line: str, rules) -> List[str]:
"""Parses a file_contexts line and runs checks"""
# skip empty/comment line
line = line.strip()
@@ -145,6 +174,7 @@
def do_main(work_dir):
"""Do testing"""
parser = argparse.ArgumentParser()
+ parser.add_argument('--all', action='store_true', help='tests ALL aspects')
parser.add_argument('-f', '--file_contexts', help='output of "deapexer list -Z"')
args = parser.parse_args()
@@ -152,10 +182,15 @@
policy_path = extract_data('precompiled_sepolicy', work_dir)
pol = policy.Policy(policy_path, None, lib_path)
+ if args.all:
+ rules = all_rules
+ else:
+ rules = generic_rules
+
errors = []
with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
for line in file_contexts:
- errors.extend(check_line(pol, line))
+ errors.extend(check_line(pol, line, rules))
if len(errors) > 0:
sys.exit('\n'.join(errors))
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 125290c..3fee43d 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -43,12 +43,12 @@
return self.__class__.pol
def assert_ok(self, line: str):
- errors = apex.check_line(self.pol, line)
+ errors = apex.check_line(self.pol, line, apex.all_rules)
self.assertEqual(errors, [], "Should be no errors")
def assert_error(self, line: str, expected_error: str):
pattern = re.compile(expected_error)
- errors = apex.check_line(self.pol, line)
+ errors = apex.check_line(self.pol, line, apex.all_rules)
for err in errors:
if re.search(pattern, err):
return
@@ -76,18 +76,31 @@
r'Error: \./etc/permissions/permisssion.xml: .* can\'t read')
def test_initscripts(self):
+ # here, netd_service is chosen randomly for invalid label for a file
+
# init reads .rc file
self.assert_ok('./etc/init.rc u:object_r:vendor_file:s0')
- self.assert_error('./etc/init.rc u:object_r:unknown:s0',
+ self.assert_error('./etc/init.rc u:object_r:netd_service:s0',
r'Error: .* can\'t read')
# init reads .#rc file
self.assert_ok('./etc/init.32rc u:object_r:vendor_file:s0')
- self.assert_error('./etc/init.32rc u:object_r:unknown:s0',
+ self.assert_error('./etc/init.32rc u:object_r:netd_service:s0',
r'Error: .* can\'t read')
# init skips file with unknown extension => no errors
self.assert_ok('./etc/init.x32rc u:object_r:vendor_file:s0')
- self.assert_ok('./etc/init.x32rc u:object_r:unknown:s0')
+ self.assert_ok('./etc/init.x32rc u:object_r:netd_service:s0')
+ def test_linkerconfig(self):
+ self.assert_ok('./etc/linker.config.pb u:object_r:system_file:s0')
+ self.assert_ok('./etc/linker.config.pb u:object_r:linkerconfig_file:s0')
+ self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
+ r'Error: .*linkerconfig.* can\'t read')
+ self.assert_error('./ u:object_r:apex_data_file:s0',
+ r'Error: .*linkerconfig.* can\'t search')
+
+ def test_unknown_label(self):
+ self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
+ r'Error: \./bin/hw/foo: tcontext\(foo_exec\) is unknown')
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/tests/check_prop_prefix.py b/tests/check_prop_prefix.py
index 68511ce..13a7b99 100644
--- a/tests/check_prop_prefix.py
+++ b/tests/check_prop_prefix.py
@@ -76,7 +76,7 @@
print('%d violations found:' % len(violations))
print('\n'.join(violations))
print('******************************')
- print('%s contains properties which are not properly namespaced.' % args.property_contexts)
+ print("vendor's and odm's property_contexts MUST use ONLY vendor-prefixed properties.")
print('This is enforced by VTS, so please fix such offending properties.')
if args.allowed_property_prefix:
print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
diff --git a/tests/policy.py b/tests/policy.py
index 910dd3d..98133b7 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -30,7 +30,46 @@
# 1) there is a match - return True or 2) run out of characters - return
# False.
#
+COMMON_PREFIXES = {
+ "/(vendor|system/vendor)": ["/vendor", "/system/vendor"],
+ "/(odm|vendor/odm)": ["/odm", "/vendor/odm"],
+ "/(product|system/product)": ["/product", "/system/product"],
+ "/(system_ext|system/system_ext)": ["/system_ext", "/system/system_ext"],
+}
+
def MatchPathPrefix(pathregex, prefix):
+ # Before running regex compile loop, try two heuristics, because compiling
+ # regex is too expensive. These two can handle more than 90% out of all
+ # MatchPathPrefix calls.
+
+ # Heuristic 1: handle common prefixes for partitions
+ for c in COMMON_PREFIXES:
+ if not pathregex.startswith(c):
+ continue
+ found = False
+ for p in COMMON_PREFIXES[c]:
+ if prefix.startswith(p):
+ found = True
+ prefix = prefix[len(p):]
+ pathregex = pathregex[len(c):]
+ break
+ if not found:
+ return False
+
+ # Heuristic 2: compare normal characters as long as possible
+ idx = 0
+ while idx < len(prefix):
+ if idx == len(pathregex):
+ return False
+ if pathregex[idx] in fc_sort.META_CHARS or pathregex[idx] == '\\':
+ break
+ if pathregex[idx] != prefix[idx]:
+ return False
+ idx += 1
+ if idx == len(prefix):
+ return True
+
+ # Fall back to regex compile loop.
for i in range(len(pathregex), 0, -1):
try:
pattern = re.compile('^' + pathregex[0:i] + "$")
@@ -70,17 +109,22 @@
# Query policy for the types associated with Attr
TypesPol = self.QueryTypeAttribute(Attr, True) - set(ExcludedTypes)
# Search file_contexts to find types associated with input paths.
- TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
- violators = TypesFc.intersection(TypesPol)
+ PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ violators = set()
+ for PathType in PathTypes:
+ filepath, filetype = PathType
+ if filetype in TypesPol:
+ violators.add((str(filetype), str(filepath)))
+
ret = ""
if len(violators) > 0:
ret += "The following types on "
ret += " ".join(str(x) for x in sorted(MatchPrefix))
ret += " must not be associated with the "
- ret += "\"" + Attr + "\" attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- ret += " corresponding to files: "
- ret += " ".join(str(x) for x in sorted(Files)) + "\n"
+ ret += "\"" + Attr + "\" attribute.\n"
+ ret += "Violator types and corresponding paths:\n"
+ ret += "\n".join(str(x) for x in sorted(violators))
+ ret += "\n"
return ret
# Check that all types for "filesystem" have "attribute" associated with them
@@ -102,23 +146,27 @@
# DoNotMatchPrefix have the attribute Attr.
# For example assert that all types in /sys, and not in /sys/kernel/debugfs
# have the sysfs_type attribute.
- def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+ def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []):
# Query policy for the types associated with Attr
- TypesPol = self.QueryTypeAttribute(Attr, True)
+ TypesPol = self.QueryTypeAttribute(Attr, True) | set(ExcludedTypes)
# Search file_contexts to find paths/types that should be associated with
# Attr.
- TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
- violators = TypesFc.difference(TypesPol)
+ PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ violators = set()
+ for PathType in PathTypes:
+ filepath, filetype = PathType
+ if filetype not in TypesPol:
+ violators.add((str(filetype), str(filepath)))
ret = ""
if len(violators) > 0:
ret += "The following types on "
ret += " ".join(str(x) for x in sorted(MatchPrefix))
ret += " must be associated with the "
- ret += "\"" + Attr + "\" attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- ret += " corresponding to files: "
- ret += " ".join(str(x) for x in sorted(Files)) + "\n"
+ ret += "\"" + Attr + "\" attribute.\n"
+ ret += "Violator types and corresponding paths:\n"
+ ret += "\n".join(str(x) for x in sorted(violators))
+ ret += "\n"
return ret
def AssertPropertyOwnersAreExclusive(self):
@@ -295,8 +343,7 @@
# Return types that match MatchPrefixes but do not match
# DoNotMatchPrefixes
def __GetTypesAndFilesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
- Types = set()
- Files = set()
+ ret = []
MatchPrefixesWithIndex = []
for MatchPrefix in MatchPrefixes:
@@ -307,9 +354,8 @@
for PathType in PathTypes:
if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes):
continue
- Types.add(PathType[1])
- Files.add(PathType[0])
- return Types, Files
+ ret.append(PathType)
+ return ret
def __GetTERules(self, policydbP, avtabIterP, Rules):
if Rules is None:
@@ -429,6 +475,7 @@
# load file_contexts
def __InitFC(self, FcPaths):
+ self.__FcDict = {}
if FcPaths is None:
return
fc = []
@@ -438,7 +485,6 @@
fd = open(path, "r")
fc += fd.readlines()
fd.close()
- self.__FcDict = {}
for i in fc:
rec = i.split()
try:
@@ -467,3 +513,159 @@
def __del__(self):
if self.__policydbP is not None:
self.__libsepolwrap.destroy_policy(self.__policydbP)
+
+coredomainAllowlist = {
+ # TODO: how do we make sure vendor_init doesn't have bad coupling with
+ # /vendor? It is the only system process which is not coredomain.
+ 'vendor_init',
+ # TODO(b/152813275): need to avoid allowlist for rootdir
+ "modprobe",
+ "slideshow",
+ }
+
+class scontext:
+ def __init__(self):
+ self.fromSystem = False
+ self.fromVendor = False
+ self.coredomain = False
+ self.appdomain = False
+ self.attributes = set()
+ self.entrypoints = []
+ self.entrypointpaths = []
+ self.error = ""
+
+class TestPolicy:
+ """A policy loaded in memory with its domains easily accessible."""
+
+ def __init__(self):
+ self.alldomains = {}
+ self.coredomains = set()
+ self.appdomains = set()
+ self.vendordomains = set()
+ self.pol = None
+
+ # compat vars
+ self.alltypes = set()
+ self.oldalltypes = set()
+ self.compatMapping = None
+ self.pubtypes = set()
+
+ def GetAllDomains(self):
+ for result in self.pol.QueryTypeAttribute("domain", True):
+ self.alldomains[result] = scontext()
+
+ def GetAppDomains(self):
+ for d in self.alldomains:
+ # The application of the "appdomain" attribute is trusted because core
+ # selinux policy contains neverallow rules that enforce that only zygote
+ # and runas spawned processes may transition to processes that have
+ # the appdomain attribute.
+ if "appdomain" in self.alldomains[d].attributes:
+ self.alldomains[d].appdomain = True
+ self.appdomains.add(d)
+
+ def GetCoreDomains(self):
+ for d in self.alldomains:
+ domain = self.alldomains[d]
+ # TestCoredomainViolations will verify if coredomain was incorrectly
+ # applied.
+ if "coredomain" in domain.attributes:
+ domain.coredomain = True
+ self.coredomains.add(d)
+ # check whether domains are executed off of /system or /vendor
+ if d in coredomainAllowlist:
+ continue
+ # TODO(b/153112003): add checks to prevent app domains from being
+ # incorrectly labeled as coredomain. Apps don't have entrypoints as
+ # they're always dynamically transitioned to by zygote.
+ if d in self.appdomains:
+ continue
+ # TODO(b/153112747): need to handle cases where there is a dynamic
+ # transition OR there happens to be no context in AOSP files.
+ if not domain.entrypointpaths:
+ continue
+
+ for path in domain.entrypointpaths:
+ vendor = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/vendor", "/odm"])
+ system = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/init", "/system_ext", "/product" ])
+
+ # only mark entrypoint as system if it is not in legacy /system/vendor
+ if MatchPathPrefix(path, "/system/vendor"):
+ vendor = True
+ elif MatchPathPrefix(path, "/system"):
+ system = True
+
+ if not vendor and not system:
+ domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
+
+ domain.fromSystem = domain.fromSystem or system
+ domain.fromVendor = domain.fromVendor or vendor
+
+ ###
+ # Add the entrypoint type and path(s) to each domain.
+ #
+ def GetDomainEntrypoints(self):
+ for x in self.pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
+ if not x.sctx in self.alldomains:
+ continue
+ self.alldomains[x.sctx].entrypoints.append(str(x.tctx))
+ # postinstall_file represents a special case specific to A/B OTAs.
+ # Update_engine mounts a partition and relabels it postinstall_file.
+ # There is no file_contexts entry associated with postinstall_file
+ # so skip the lookup.
+ if x.tctx == "postinstall_file":
+ continue
+ entrypointpath = self.pol.QueryFc(x.tctx)
+ if not entrypointpath:
+ continue
+ self.alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
+
+ ###
+ # Get attributes associated with each domain
+ #
+ def GetAttributes(self):
+ for domain in self.alldomains:
+ for result in self.pol.QueryTypeAttribute(domain, False):
+ self.alldomains[domain].attributes.add(result)
+
+ def setup(self, pol):
+ self.pol = pol
+ self.GetAllDomains()
+ self.GetAttributes()
+ self.GetDomainEntrypoints()
+ self.GetAppDomains()
+ self.GetCoreDomains()
+
+ def GetAllTypes(self, basepol, oldpol):
+ self.alltypes = basepol.GetAllTypes(False)
+ self.oldalltypes = oldpol.GetAllTypes(False)
+
+ # setup for the policy compatibility tests
+ def compatSetup(self, basepol, oldpol, mapping, types):
+ self.GetAllTypes(basepol, oldpol)
+ self.compatMapping = mapping
+ self.pubtypes = types
+
+ def DomainsWithAttribute(self, attr):
+ domains = []
+ for domain in self.alldomains:
+ if attr in self.alldomains[domain].attributes:
+ domains.append(domain)
+ return domains
+
+ def PrintScontexts(self):
+ for d in sorted(self.alldomains.keys()):
+ sctx = self.alldomains[d]
+ print(d)
+ print("\tcoredomain="+str(sctx.coredomain))
+ print("\tappdomain="+str(sctx.appdomain))
+ print("\tfromSystem="+str(sctx.fromSystem))
+ print("\tfromVendor="+str(sctx.fromVendor))
+ print("\tattributes="+str(sctx.attributes))
+ print("\tentrypoints="+str(sctx.entrypoints))
+ print("\tentrypointpaths=")
+ if sctx.entrypointpaths is not None:
+ for path in sctx.entrypointpaths:
+ print("\t\t"+str(path))
diff --git a/tests/policy_test.py b/tests/policy_test.py
new file mode 100644
index 0000000..3cf4a1b
--- /dev/null
+++ b/tests/policy_test.py
@@ -0,0 +1,56 @@
+# Copyright 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Tests for policy"""
+
+import unittest
+from policy import MatchPathPrefix
+
+# pylint: disable=missing-docstring
+class PolicyTests(unittest.TestCase):
+ def assertMatches(self, path, prefix):
+ self.assertTrue(MatchPathPrefix(path, prefix))
+
+ def assertDoesNotMatch(self, path, prefix):
+ self.assertFalse(MatchPathPrefix(path, prefix))
+
+ # tests
+
+ def test_match_path_prefix(self):
+ # check common prefix heuristics
+ self.assertMatches("/(vendor|system/vendor)/bin/sh", "/vendor/bin")
+ self.assertMatches("/(vendor|system/vendor)/bin/sh", "/system/vendor/bin"),
+ self.assertMatches("/(odm|vendor/odm)/etc/selinux", "/odm/etc"),
+ self.assertMatches("/(odm|vendor/odm)/etc/selinux", "/vendor/odm/etc"),
+ self.assertMatches("/(system_ext|system/system_ext)/bin/foo", "/system_ext/bin"),
+ self.assertMatches("/(system_ext|system/system_ext)/bin/foo", "/system/system_ext/bin"),
+ self.assertMatches("/(product|system/product)/lib/libc.so", "/product/lib"),
+ self.assertMatches("/(product|system/product)/lib/libc.so", "/system/product/lib"),
+ self.assertDoesNotMatch("/(vendor|system/vendor)/bin/sh", "/system/bin"),
+ self.assertDoesNotMatch("/(odm|vendor/odm)/etc/selinux", "/vendor/etc"),
+ self.assertDoesNotMatch("/(system_ext|system/system_ext)/bin/foo", "/system/bin"),
+ self.assertDoesNotMatch("/(product|system/product)/lib/libc.so", "/system/lib"),
+
+ # check generic regex
+ self.assertMatches("(/.*)+", "/system/etc/vintf")
+ self.assertDoesNotMatch("(/.*)+", "foo/bar/baz")
+
+ self.assertMatches("/(system|product)/lib(64)?(/.*)+.*\.so", "/system/lib/hw/libbaz.so")
+ self.assertMatches("/(system|product)/lib(64)?(/.*)+.*\.so", "/system/lib64/")
+ self.assertMatches("/(system|product)/lib(64)?(/.*)+.*\.so", "/product/lib/hw/libbaz.so")
+ self.assertMatches("/(system|product)/lib(64)?(/.*)+.*\.so", "/product/lib64/")
+ self.assertDoesNotMatch("/(system|product)/lib(64)?(/.*)+.*\.so", "/vendor/lib/hw/libbaz.so")
+ self.assertDoesNotMatch("/(system|product)/lib(64)?(/.*)+.*\.so", "/odm/lib64/")
+
+if __name__ == '__main__':
+ unittest.main(verbosity=2)
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
new file mode 100644
index 0000000..72c8fde
--- /dev/null
+++ b/tests/sepolicy_freeze_test.py
@@ -0,0 +1,56 @@
+# Copyright 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from optparse import OptionParser
+import mini_parser
+import os
+import sys
+
+def do_main():
+ usage = "sepolicy_freeze_test "
+ usage += "-c current_cil -p prebuilt_cil [--help]"
+ parser = OptionParser(usage=usage)
+ parser.add_option("-c", "--current", dest="current", metavar="FILE")
+ parser.add_option("-p", "--prebuilt", dest="prebuilt", metavar="FILE")
+
+ (options, args) = parser.parse_args()
+
+ if not options.current or not options.prebuilt:
+ sys.exit("Must specify both current and prebuilt\n" + parser.usage)
+ if not os.path.exists(options.current):
+ sys.exit("Current policy " + options.current + " does not exist\n"
+ + parser.usage)
+ if not os.path.exists(options.prebuilt):
+ sys.exit("Prebuilt policy " + options.prebuilt + " does not exist\n"
+ + parser.usage)
+
+ current_policy = mini_parser.MiniCilParser(options.current)
+ prebuilt_policy = mini_parser.MiniCilParser(options.prebuilt)
+
+ results = ""
+ removed_types = prebuilt_policy.types - current_policy.types
+ removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
+ removed_attributes = set(filter(lambda x: "base_typeattr_" not in x, removed_attributes))
+
+ if removed_types:
+ results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
+
+ if removed_attributes:
+ results += "The following public attributes were removed:\n" + ", ".join(removed_attributes) + "\n"
+
+ if len(results) > 0:
+ sys.exit(results)
+
+if __name__ == '__main__':
+ do_main()
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 63144dd..7a341cb 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -84,8 +84,11 @@
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
def TestCoreDataTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
+ ret = pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
+ ret += pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
+ "/data/vendor_de/"], [], "core_data_file_type")
+ return ret
def TestPropertyTypeViolations(pol):
return pol.AssertPropertyOwnersAreExclusive()
@@ -115,7 +118,168 @@
return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
"dmabuf_heap_device_type")
+def TestCoredomainViolations(test_policy):
+ # verify that all domains launched from /system have the coredomain
+ # attribute
+ ret = ""
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromSystem and domain.fromVendor:
+ ret += "The following domain is system and vendor: " + d + "\n"
+
+ for domain in test_policy.alldomains.values():
+ ret += domain.error
+
+ violators = []
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromSystem and "coredomain" not in domain.attributes:
+ violators.append(d);
+ if len(violators) > 0:
+ ret += "The following domain(s) must be associated with the "
+ ret += "\"coredomain\" attribute because they are executed off of "
+ ret += "/system:\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+
+ # verify that all domains launched form /vendor do not have the coredomain
+ # attribute
+ violators = []
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromVendor and "coredomain" in domain.attributes:
+ violators.append(d)
+ if len(violators) > 0:
+ ret += "The following domains must not be associated with the "
+ ret += "\"coredomain\" attribute because they are executed off of "
+ ret += "/vendor or /system/vendor:\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+
+ return ret
+
+def TestViolatorAttribute(test_policy, attribute):
+ # TODO(b/113124961): re-enable once all violator attributes are removed.
+ return ""
+
+ # ret = ""
+ # return ret
+
+ # violators = test_policy.DomainsWithAttribute(attribute)
+ # if len(violators) > 0:
+ # ret += "SELinux: The following domains violate the Treble ban "
+ # ret += "against use of the " + attribute + " attribute: "
+ # ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ # return ret
+
+def TestViolatorAttributes(test_policy):
+ ret = ""
+ ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
+ ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
+ return ret
+
+def TestIsolatedAttributeConsistency(test_policy):
+ permissionAllowList = {
+ # access given from technical_debt.cil
+ "codec2_config_prop" : ["file"],
+ "device_config_nnapi_native_prop":["file"],
+ "hal_allocator_default":["binder", "fd"],
+ "hal_codec2": ["binder", "fd"],
+ "hal_codec2_hwservice":["hwservice_manager"],
+ "hal_graphics_allocator": ["binder", "fd"],
+ "hal_graphics_allocator_service":["service_manager"],
+ "hal_graphics_allocator_hwservice":["hwservice_manager"],
+ "hal_graphics_allocator_server":["binder", "service_manager"],
+ "hal_graphics_mapper_hwservice":["hwservice_manager"],
+ "hal_neuralnetworks": ["binder", "fd"],
+ "hal_neuralnetworks_service": ["service_manager"],
+ "hal_neuralnetworks_hwservice":["hwservice_manager"],
+ "hal_omx_hwservice":["hwservice_manager"],
+ "hidl_allocator_hwservice":["hwservice_manager"],
+ "hidl_manager_hwservice":["hwservice_manager"],
+ "hidl_memory_hwservice":["hwservice_manager"],
+ "hidl_token_hwservice":["hwservice_manager"],
+ "hwservicemanager":["binder"],
+ "hwservicemanager_prop":["file"],
+ "mediacodec":["binder", "fd"],
+ "mediaswcodec":["binder", "fd"],
+ "media_variant_prop":["file"],
+ "nnapi_ext_deny_product_prop":["file"],
+ "servicemanager":["fd"],
+ "toolbox_exec": ["file"],
+ # extra types being granted to isolated_compute_app
+ "isolated_compute_allowed":["service_manager", "chr_file"],
+ }
+
+ def resolveHalServerSubtype(target):
+ # permission given as a client in technical_debt.cil
+ hal_server_attributes = [
+ "hal_codec2_server",
+ "hal_graphics_allocator_server",
+ "hal_neuralnetworks_server"]
+
+ for attr in hal_server_attributes:
+ if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
+ return attr.rsplit("_", 1)[0]
+ return target
+
+ def checkIsolatedComputeAllowed(tctx, tclass):
+ # check if the permission is in isolated_compute_allowed
+ allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
+ .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
+ return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
+
+ def checkPermissions(permissions):
+ violated_permissions = []
+ for perm in permissions:
+ tctx, tclass, p = perm.split(":")
+ tctx = resolveHalServerSubtype(tctx)
+ # check unwanted permissions
+ if not checkIsolatedComputeAllowed(tctx, tclass) and \
+ ( tctx not in permissionAllowList \
+ or tclass not in permissionAllowList[tctx] \
+ or ( p == "write") \
+ or ( p == "rw_file_perms") ):
+ violated_permissions += [perm]
+ return violated_permissions
+
+ ret = ""
+
+ isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
+ baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
+ basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
+ for rule in baseRules for perm in rule.perms])
+ for subType in isolatedMemberTypes:
+ if subType == "isolated_app" : continue
+ currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
+ typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
+ for rule in currentTypeRule for perm in rule.perms
+ if not rule.tctx in [subType, subType + "_userfaultfd"]])
+ deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
+ violated_permissions = checkPermissions(list(deltaPermissionSet))
+ for perm in violated_permissions:
+ ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))
+
+ if ret:
+ ret = ("Found prohibited permission granted for isolated like types. " + \
+ "Please replace your allow statements that involve \"-isolated_app\" with " + \
+ "\"-isolated_app_all\". Violations are shown as the following: \n") + ret
+ return ret
+
+def TestDevTypeViolations(pol):
+ exceptions = [
+ "/dev/socket",
+ ]
+ exceptionTypes = [
+ "boringssl_self_test_marker", # /dev/boringssl/selftest
+ "cgroup_rc_file", # /dev/cgroup.rc
+ "dev_cpu_variant", # /dev/cpu_variant:{arch}
+ "fscklogs", # /dev/fscklogs
+ "properties_serial", # /dev/__properties__/properties_serial
+ "property_info", # /dev/__properties__/property_info
+ "runtime_event_log_tags_file", # /dev/event-log-tags
+ ]
+ return pol.AssertPathTypesHaveAttr(["/dev"], exceptions,
+ "dev_type", exceptionTypes)
###
# extend OptionParser to allow the same option flag to be used multiple times.
@@ -147,6 +311,10 @@
"TestPropertyTypeViolations",
"TestAppDataTypeViolations",
"TestDmaHeapDevTypeViolations",
+ "TestCoredomainViolations",
+ "TestViolatorAttributes",
+ "TestIsolatedAttributeConsistency",
+ "TestDevTypeViolations",
]
def do_main(libpath):
@@ -179,6 +347,8 @@
parser.usage)
pol = policy.Policy(options.policy, options.file_contexts, libpath)
+ test_policy = policy.TestPolicy()
+ test_policy.setup(pol)
results = ""
# If an individual test is not specified, run all tests.
@@ -206,6 +376,16 @@
results += TestAppDataTypeViolations(pol)
if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
results += TestDmaHeapDevTypeViolations(pol)
+ if options.test is None or "TestCoredomainViolations" in options.test:
+ results += TestCoredomainViolations(test_policy)
+ if options.test is None or "TestViolatorAttributes" in options.test:
+ results += TestViolatorAttributes(test_policy)
+ if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
+ results += TestIsolatedAttributeConsistency(test_policy)
+
+ # dev type test won't be run as default
+ if options.test and "TestDevTypeViolations" in options.test:
+ results += TestDevTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 0628d35..ff1a348 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -16,236 +16,30 @@
from optparse import Option, OptionValueError
import os
import mini_parser
-import pkgutil
-import policy
-from policy import MatchPathPrefix
import re
import shutil
import sys
import tempfile
-DEBUG=False
-SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
-
-# TODO(b/266998144): consider rename this file.
-
'''
-Use file_contexts and policy to verify Treble requirements
-are not violated.
+Verify that Treble compatibility are not broken.
'''
-coredomainAllowlist = {
- # TODO: how do we make sure vendor_init doesn't have bad coupling with
- # /vendor? It is the only system process which is not coredomain.
- 'vendor_init',
- # TODO(b/152813275): need to avoid allowlist for rootdir
- "modprobe",
- "slideshow",
- }
-
-class scontext:
- def __init__(self):
- self.fromSystem = False
- self.fromVendor = False
- self.coredomain = False
- self.appdomain = False
- self.attributes = set()
- self.entrypoints = []
- self.entrypointpaths = []
- self.error = ""
-
-
-class TestPolicy:
- """A policy loaded in memory with its domains easily accessible."""
-
- def __init__(self):
- self.alldomains = {}
- self.coredomains = set()
- self.appdomains = set()
- self.vendordomains = set()
- self.pol = None
-
- # compat vars
- self.alltypes = set()
- self.oldalltypes = set()
- self.compatMapping = None
- self.pubtypes = set()
-
- # Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
- self.FakeTreble = False
-
- def GetAllDomains(self):
- for result in self.pol.QueryTypeAttribute("domain", True):
- self.alldomains[result] = scontext()
-
- def GetAppDomains(self):
- for d in self.alldomains:
- # The application of the "appdomain" attribute is trusted because core
- # selinux policy contains neverallow rules that enforce that only zygote
- # and runas spawned processes may transition to processes that have
- # the appdomain attribute.
- if "appdomain" in self.alldomains[d].attributes:
- self.alldomains[d].appdomain = True
- self.appdomains.add(d)
-
- def GetCoreDomains(self):
- for d in self.alldomains:
- domain = self.alldomains[d]
- # TestCoredomainViolations will verify if coredomain was incorrectly
- # applied.
- if "coredomain" in domain.attributes:
- domain.coredomain = True
- self.coredomains.add(d)
- # check whether domains are executed off of /system or /vendor
- if d in coredomainAllowlist:
- continue
- # TODO(b/153112003): add checks to prevent app domains from being
- # incorrectly labeled as coredomain. Apps don't have entrypoints as
- # they're always dynamically transitioned to by zygote.
- if d in self.appdomains:
- continue
- # TODO(b/153112747): need to handle cases where there is a dynamic
- # transition OR there happens to be no context in AOSP files.
- if not domain.entrypointpaths:
- continue
-
- for path in domain.entrypointpaths:
- vendor = any(MatchPathPrefix(path, prefix) for prefix in
- ["/vendor", "/odm"])
- system = any(MatchPathPrefix(path, prefix) for prefix in
- ["/init", "/system_ext", "/product" ])
-
- # only mark entrypoint as system if it is not in legacy /system/vendor
- if MatchPathPrefix(path, "/system/vendor"):
- vendor = True
- elif MatchPathPrefix(path, "/system"):
- system = True
-
- if not vendor and not system:
- domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
-
- domain.fromSystem = domain.fromSystem or system
- domain.fromVendor = domain.fromVendor or vendor
-
- ###
- # Add the entrypoint type and path(s) to each domain.
- #
- def GetDomainEntrypoints(self):
- for x in self.pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
- if not x.sctx in self.alldomains:
- continue
- self.alldomains[x.sctx].entrypoints.append(str(x.tctx))
- # postinstall_file represents a special case specific to A/B OTAs.
- # Update_engine mounts a partition and relabels it postinstall_file.
- # There is no file_contexts entry associated with postinstall_file
- # so skip the lookup.
- if x.tctx == "postinstall_file":
- continue
- entrypointpath = self.pol.QueryFc(x.tctx)
- if not entrypointpath:
- continue
- self.alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
-
- ###
- # Get attributes associated with each domain
- #
- def GetAttributes(self):
- for domain in self.alldomains:
- for result in self.pol.QueryTypeAttribute(domain, False):
- self.alldomains[domain].attributes.add(result)
-
- def setup(self, pol):
- self.pol = pol
- self.GetAllDomains()
- self.GetAttributes()
- self.GetDomainEntrypoints()
- self.GetAppDomains()
- self.GetCoreDomains()
-
- def GetAllTypes(self, basepol, oldpol):
- self.alltypes = basepol.GetAllTypes(False)
- self.oldalltypes = oldpol.GetAllTypes(False)
-
- # setup for the policy compatibility tests
- def compatSetup(self, basepol, oldpol, mapping, types):
- self.GetAllTypes(basepol, oldpol)
- self.compatMapping = mapping
- self.pubtypes = types
-
- def DomainsWithAttribute(self, attr):
- domains = []
- for domain in self.alldomains:
- if attr in self.alldomains[domain].attributes:
- domains.append(domain)
- return domains
-
- def PrintScontexts(self):
- for d in sorted(self.alldomains.keys()):
- sctx = self.alldomains[d]
- print(d)
- print("\tcoredomain="+str(sctx.coredomain))
- print("\tappdomain="+str(sctx.appdomain))
- print("\tfromSystem="+str(sctx.fromSystem))
- print("\tfromVendor="+str(sctx.fromVendor))
- print("\tattributes="+str(sctx.attributes))
- print("\tentrypoints="+str(sctx.entrypoints))
- print("\tentrypointpaths=")
- if sctx.entrypointpaths is not None:
- for path in sctx.entrypointpaths:
- print("\t\t"+str(path))
#############################################################
# Tests
#############################################################
-def TestCoredomainViolations(test_policy):
- # verify that all domains launched from /system have the coredomain
- # attribute
- ret = ""
-
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromSystem and domain.fromVendor:
- ret += "The following domain is system and vendor: " + d + "\n"
-
- for domain in test_policy.alldomains.values():
- ret += domain.error
-
- violators = []
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromSystem and "coredomain" not in domain.attributes:
- violators.append(d);
- if len(violators) > 0:
- ret += "The following domain(s) must be associated with the "
- ret += "\"coredomain\" attribute because they are executed off of "
- ret += "/system:\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
-
- # verify that all domains launched form /vendor do not have the coredomain
- # attribute
- violators = []
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromVendor and "coredomain" in domain.attributes:
- violators.append(d)
- if len(violators) > 0:
- ret += "The following domains must not be associated with the "
- ret += "\"coredomain\" attribute because they are executed off of "
- ret += "/vendor or /system/vendor:\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
-
- return ret
###
# Make sure that any new public type introduced in the new policy that was not
# present in the old policy has been recorded in the mapping file.
-def TestNoUnmappedNewTypes(test_policy):
- newt = test_policy.alltypes - test_policy.oldalltypes
+def TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping):
+ newt = base_pub_policy.types - old_pub_policy.types
ret = ""
violators = []
for n in newt:
- if n in test_policy.pubtypes and test_policy.compatMapping.rTypeattributesets.get(n) is None:
+ if mapping.rTypeattributesets.get(n) is None:
violators.append(n)
if len(violators) > 0:
@@ -262,13 +56,13 @@
###
# Make sure that any public type removed in the current policy has its
# declaration added to the mapping file for use in non-platform policy
-def TestNoUnmappedRmTypes(test_policy):
- rmt = test_policy.oldalltypes - test_policy.alltypes
+def TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping):
+ rmt = old_pub_policy.types - base_pub_policy.types
ret = ""
violators = []
for o in rmt:
- if o in test_policy.compatMapping.pubtypes and not o in test_policy.compatMapping.types:
+ if o in mapping.pubtypes and not o in mapping.types:
violators.append(o)
if len(violators) > 0:
@@ -281,124 +75,11 @@
ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
return ret
-def TestTrebleCompatMapping(test_policy):
- ret = TestNoUnmappedNewTypes(test_policy)
- ret += TestNoUnmappedRmTypes(test_policy)
+def TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping):
+ ret = TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping)
+ ret += TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping)
return ret
-def TestViolatorAttribute(test_policy, attribute):
- ret = ""
- if test_policy.FakeTreble:
- return ret
-
- violators = test_policy.DomainsWithAttribute(attribute)
- if len(violators) > 0:
- ret += "SELinux: The following domains violate the Treble ban "
- ret += "against use of the " + attribute + " attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- return ret
-
-def TestViolatorAttributes(test_policy):
- ret = ""
- ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
- ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
- return ret
-
-# TODO move this to sepolicy_tests
-def TestCoreDataTypeViolations(test_policy):
- return test_policy.pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
- "/data/vendor_de/"], [], "core_data_file_type")
-
-# TODO move this to sepolicy_tests
-def TestIsolatedAttributeConsistency(test_policy):
- permissionAllowList = {
- # access given from technical_debt.cil
- "codec2_config_prop" : ["file"],
- "device_config_nnapi_native_prop":["file"],
- "hal_allocator_default":["binder", "fd"],
- "hal_codec2": ["binder", "fd"],
- "hal_codec2_hwservice":["hwservice_manager"],
- "hal_graphics_allocator": ["binder", "fd"],
- "hal_graphics_allocator_service":["service_manager"],
- "hal_graphics_allocator_hwservice":["hwservice_manager"],
- "hal_graphics_allocator_server":["binder", "service_manager"],
- "hal_graphics_mapper_hwservice":["hwservice_manager"],
- "hal_neuralnetworks": ["binder", "fd"],
- "hal_neuralnetworks_service": ["service_manager"],
- "hal_neuralnetworks_hwservice":["hwservice_manager"],
- "hal_omx_hwservice":["hwservice_manager"],
- "hidl_allocator_hwservice":["hwservice_manager"],
- "hidl_manager_hwservice":["hwservice_manager"],
- "hidl_memory_hwservice":["hwservice_manager"],
- "hidl_token_hwservice":["hwservice_manager"],
- "hwservicemanager":["binder"],
- "hwservicemanager_prop":["file"],
- "mediacodec":["binder", "fd"],
- "mediaswcodec":["binder", "fd"],
- "media_variant_prop":["file"],
- "nnapi_ext_deny_product_prop":["file"],
- "servicemanager":["fd"],
- "toolbox_exec": ["file"],
- # extra types being granted to isolated_compute_app
- "isolated_compute_allowed":["service_manager", "chr_file"],
- }
-
- def resolveHalServerSubtype(target):
- # permission given as a client in technical_debt.cil
- hal_server_attributes = [
- "hal_codec2_server",
- "hal_graphics_allocator_server",
- "hal_neuralnetworks_server"]
-
- for attr in hal_server_attributes:
- if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
- return attr.rsplit("_", 1)[0]
- return target
-
- def checkIsolatedComputeAllowed(tctx, tclass):
- # check if the permission is in isolated_compute_allowed
- allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
- .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
- return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
-
-
- def checkPermissions(permissions):
- violated_permissions = []
- for perm in permissions:
- tctx, tclass, p = perm.split(":")
- tctx = resolveHalServerSubtype(tctx)
- # check unwanted permissions
- if not checkIsolatedComputeAllowed(tctx, tclass) and \
- ( tctx not in permissionAllowList \
- or tclass not in permissionAllowList[tctx] \
- or ( p == "write") \
- or ( p == "rw_file_perms") ):
- violated_permissions += [perm]
- return violated_permissions
-
- ret = ""
-
- isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
- baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
- basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
- for rule in baseRules for perm in rule.perms])
- for subType in isolatedMemberTypes:
- if subType == "isolated_app" : continue
- currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
- typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
- for rule in currentTypeRule for perm in rule.perms
- if not rule.tctx in [subType, subType + "_userfaultfd"]])
- deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
- violated_permissions = checkPermissions(list(deltaPermissionSet))
- for perm in violated_permissions:
- ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))
-
- if ret:
- ret = ("Found prohibited permission granted for isolated like types. " + \
- "Please replace your allow statements that involve \"-isolated_app\" with " + \
- "\"-isolated_app_all\". Violations are shown as the following: \n") + ret
- return ret
-
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -416,111 +97,38 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = {"CoredomainViolations": TestCoredomainViolations,
- "CoreDatatypeViolations": TestCoreDataTypeViolations,
- "TrebleCompatMapping": TestTrebleCompatMapping,
- "ViolatorAttributes": TestViolatorAttributes,
- "IsolatedAttributeConsistency": TestIsolatedAttributeConsistency}
-
-def do_main(libpath):
- """
- Args:
- libpath: string, path to libsepolwrap.so
- """
- test_policy = TestPolicy()
-
+def do_main():
usage = "treble_sepolicy_tests "
- usage += "-f nonplat_file_contexts -f plat_file_contexts "
- usage += "-p curr_policy -b base_policy -o old_policy "
- usage +="-m mapping file [--test test] [--help]"
+ usage += "-b base_pub_policy -o old_pub_policy "
+ usage += "-m mapping file [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
- parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
- parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy",
+ parser.add_option("-b", "--base-pub-policy", dest="base_pub_policy",
metavar="FILE")
- parser.add_option("-f", "--file_contexts", dest="file_contexts",
- metavar="FILE", action="extend", type="string")
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
- parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
- parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
- parser.add_option("-t", "--test", dest="tests", action="extend",
- help="Test options include "+str(Tests))
- parser.add_option("--fake-treble", action="store_true", dest="faketreble",
- default=False)
+ parser.add_option("-o", "--old-pub-policy", dest="old_pub_policy",
+ metavar="FILE")
(options, args) = parser.parse_args()
- if not options.policy:
- sys.exit("Must specify current monolithic policy file\n" + parser.usage)
- if not os.path.exists(options.policy):
- sys.exit("Error: policy file " + options.policy + " does not exist\n"
- + parser.usage)
- if not options.file_contexts:
- sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
- for f in options.file_contexts:
- if not os.path.exists(f):
- sys.exit("Error: File_contexts file " + f + " does not exist\n" +
- parser.usage)
-
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
- if options.tests is None or options.tests == "TrebleCompatMapping":
- if not options.basepolicy:
- sys.exit("Must specify the current platform-only policy file\n"
- + parser.usage)
- if not options.mapping:
- sys.exit("Must specify a compatibility mapping file\n"
- + parser.usage)
- if not options.oldpolicy:
- sys.exit("Must specify the previous monolithic policy file\n"
- + parser.usage)
- if not options.base_pub_policy:
- sys.exit("Must specify the current platform-only public policy "
- + ".cil file\n" + parser.usage)
- basepol = policy.Policy(options.basepolicy, None, libpath)
- oldpol = policy.Policy(options.oldpolicy, None, libpath)
- mapping = mini_parser.MiniCilParser(options.mapping)
- pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
- test_policy.compatSetup(basepol, oldpol, mapping, pubpol.types)
+ if not options.mapping:
+ sys.exit("Must specify a compatibility mapping file\n"
+ + parser.usage)
+ if not options.old_pub_policy:
+ sys.exit("Must specify the previous public policy .cil file\n"
+ + parser.usage)
+ if not options.base_pub_policy:
+ sys.exit("Must specify the current platform-only public policy "
+ + ".cil file\n" + parser.usage)
+ mapping = mini_parser.MiniCilParser(options.mapping)
+ base_pub_policy = mini_parser.MiniCilParser(options.base_pub_policy)
+ old_pub_policy = mini_parser.MiniCilParser(options.old_pub_policy)
- if options.faketreble:
- test_policy.FakeTreble = True
-
- pol = policy.Policy(options.policy, options.file_contexts, libpath)
- test_policy.setup(pol)
-
- if DEBUG:
- test_policy.PrintScontexts()
-
- results = ""
- # If an individual test is not specified, run all tests.
- if options.tests is None:
- for t in Tests.values():
- results += t(test_policy)
- else:
- for tn in options.tests:
- t = Tests.get(tn)
- if t:
- results += t(test_policy)
- else:
- err = "Error: unknown test: " + tn + "\n"
- err += "Available tests:\n"
- for tn in Tests.keys():
- err += tn + "\n"
- sys.exit(err)
+ results = TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping)
if len(results) > 0:
sys.exit(results)
if __name__ == '__main__':
- temp_dir = tempfile.mkdtemp()
- try:
- libname = "libsepolwrap" + SHARED_LIB_EXTENSION
- libpath = os.path.join(temp_dir, libname)
- with open(libpath, "wb") as f:
- blob = pkgutil.get_data("treble_sepolicy_tests", libname)
- if not blob:
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
- f.write(blob)
- do_main(libpath)
- finally:
- shutil.rmtree(temp_dir)
+ do_main()
diff --git a/tools/Android.mk b/tools/Android.mk
deleted file mode 100644
index 34f4385..0000000
--- a/tools/Android.mk
+++ /dev/null
@@ -1,3 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 13299dc..02882af 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -21,6 +21,7 @@
#define log_info(fmt, ...) if (logging_verbose ) { log_msg(stdout, "Info: ", fmt, ##__VA_ARGS__); }
#define APP_DATA_REQUIRED_ATTRIB "app_data_file_type"
+#define COREDOMAIN "coredomain"
/**
* Initializes an empty, static list.
@@ -61,6 +62,7 @@
typedef struct list list;
typedef struct key_map_regex key_map_regex;
typedef struct file_info file_info;
+typedef struct coredomain_violation_entry coredomain_violation_entry;
enum map_match {
map_no_matches,
@@ -106,7 +108,7 @@
key_dir dir;
char *data;
key_map_regex regex;
- bool (*fn_validate)(char *value, char **errmsg);
+ bool (*fn_validate)(char *value, const char *filename, int lineno, char **errmsg);
};
/**
@@ -149,6 +151,7 @@
sepol_policy_file_t *pf;
sepol_handle_t *handle;
sepol_context_t *con;
+ bool vendor;
};
struct file_info {
@@ -157,6 +160,14 @@
list_element listify;
};
+struct coredomain_violation_entry {
+ list_element listify;
+ char *domain;
+ char *filename;
+ int lineno;
+};
+
+static void coredomain_violation_list_freefn(list_element *e);
static void input_file_list_freefn(list_element *e);
static void line_order_list_freefn(list_element *e);
static void rule_map_free(rule_map *rm, bool is_in_htable);
@@ -169,13 +180,16 @@
static list input_file_list = list_init(input_file_list_freefn);
+static list coredomain_violation_list = list_init(coredomain_violation_list_freefn);
+
static policy_info pol = {
.policy_file_name = NULL,
.policy_file = NULL,
.db = NULL,
.pf = NULL,
.handle = NULL,
- .con = NULL
+ .con = NULL,
+ .vendor = false
};
/**
@@ -192,12 +206,12 @@
static list nallow_list = list_init(line_order_list_freefn);
/* validation call backs */
-static bool validate_bool(char *value, char **errmsg);
-static bool validate_levelFrom(char *value, char **errmsg);
-static bool validate_domain(char *value, char **errmsg);
-static bool validate_type(char *value, char **errmsg);
-static bool validate_selinux_level(char *value, char **errmsg);
-static bool validate_uint(char *value, char **errmsg);
+static bool validate_bool(char *value, const char *filename, int lineno, char **errmsg);
+static bool validate_levelFrom(char *value, const char *filename, int lineno, char **errmsg);
+static bool validate_domain(char *value, const char *filename, int lineno, char **errmsg);
+static bool validate_type(char *value, const char *filename, int lineno, char **errmsg);
+static bool validate_selinux_level(char *value, const char *filename, int lineno, char **errmsg);
+static bool validate_uint(char *value, const char *filename, int lineno, char **errmsg);
/**
* The heart of the mapping process, this must be updated if a new key value pair is added
@@ -279,6 +293,14 @@
free(f);
}
+static void coredomain_violation_list_freefn(list_element *e) {
+ coredomain_violation_entry *c = list_entry(e, typeof(*c), listify);
+
+ free(c->domain);
+ free(c->filename);
+ free(c);
+}
+
/**
* Send a logging message to a file
* @param out
@@ -378,8 +400,11 @@
return true;
}
-static bool validate_bool(char *value, char **errmsg) {
-
+static bool validate_bool(
+ char *value,
+ __attribute__ ((unused)) const char *filename,
+ __attribute__ ((unused)) int lineno,
+ char **errmsg) {
if (!strcmp("true", value) || !strcmp("false", value)) {
return true;
}
@@ -388,8 +413,11 @@
return false;
}
-static bool validate_levelFrom(char *value, char **errmsg) {
-
+static bool validate_levelFrom(
+ char *value,
+ __attribute__ ((unused)) const char *filename,
+ __attribute__ ((unused)) int lineno,
+ char **errmsg) {
if (strcasecmp(value, "none") && strcasecmp(value, "all") &&
strcasecmp(value, "app") && strcasecmp(value, "user")) {
*errmsg = "Expecting one of: \"none\", \"all\", \"app\" or \"user\"";
@@ -398,7 +426,7 @@
return true;
}
-static bool validate_domain(char *value, char **errmsg) {
+static bool validate_domain(char *value, const char *filename, int lineno, char **errmsg) {
#if defined(LINK_SEPOL_STATIC)
/*
@@ -409,17 +437,37 @@
return true;
}
- if (!find_type(pol.db, value, TYPE_TYPE)) {
+ type_datum_t *type_dat = find_type(pol.db, value, TYPE_TYPE);
+ if (!type_dat) {
*errmsg = "Expecting a valid SELinux type";
return false;
}
+
+ if (pol.vendor) {
+ type_datum_t *attrib_dat = find_type(pol.db, COREDOMAIN, TYPE_ATTRIB);
+ if (!attrib_dat) {
+ *errmsg = "The attribute " COREDOMAIN " is not defined in the policy";
+ return false;
+ }
+
+ if (type_has_attribute(pol.db, type_dat, attrib_dat)) {
+ coredomain_violation_entry *entry = (coredomain_violation_entry *)malloc(sizeof(*entry));
+ entry->domain = strdup(value);
+ entry->filename = strdup(filename);
+ entry->lineno = lineno;
+ list_append(&coredomain_violation_list, &entry->listify);
+ }
+ }
#endif
return true;
}
-static bool validate_type(char *value, char **errmsg) {
-
+static bool validate_type(
+ char *value,
+ __attribute__ ((unused)) const char *filename,
+ __attribute__ ((unused)) int lineno,
+ char **errmsg) {
#if defined(LINK_SEPOL_STATIC)
/*
* No policy file present means we cannot check
@@ -452,8 +500,11 @@
return true;
}
-static bool validate_selinux_level(char *value, char **errmsg) {
-
+static bool validate_selinux_level(
+ char *value,
+ __attribute__ ((unused)) const char *filename,
+ __attribute__ ((unused)) int lineno,
+ char **errmsg) {
/*
* No policy file present means we cannot check
* SE Linux MLS
@@ -471,8 +522,11 @@
return true;
}
-static bool validate_uint(char *value, char **errmsg) {
-
+static bool validate_uint(
+ char *value,
+ __attribute__ ((unused)) const char *filename,
+ __attribute__ ((unused)) int lineno,
+ char **errmsg) {
char *endptr;
long longvalue;
longvalue = strtol(value, &endptr, 10);
@@ -529,7 +583,7 @@
/* If the key has a validation routine, call it */
if (m->fn_validate) {
- rc = m->fn_validate(value, &errmsg);
+ rc = m->fn_validate(value, filename, lineno, &errmsg);
if (!rc) {
log_error("Could not validate key \"%s\" for value \"%s\" on line: %d in file: \"%s\": %s\n", key, value,
@@ -997,7 +1051,7 @@
int c;
file_info *input_file;
- while ((c = getopt(argc, argv, "ho:p:v")) != -1) {
+ while ((c = getopt(argc, argv, "ho:p:vc")) != -1) {
switch (c) {
case 'h':
usage();
@@ -1011,6 +1065,9 @@
case 'v':
log_set_verbose();
break;
+ case 'c':
+ pol.vendor = true;
+ break;
case '?':
if (optopt == 'o' || optopt == 'p')
log_error("Option -%c requires an argument.\n", optopt);
@@ -1229,6 +1286,7 @@
bool found_issues = false;
hash_entry *e;
rule_map *r;
+ coredomain_violation_entry *c;
list_for_each(&line_order_list, cursor) {
e = list_entry(cursor, typeof(*e), listify);
rule_map_validate(e->r);
@@ -1248,6 +1306,25 @@
}
}
+ bool coredomain_violation = false;
+ list_for_each(&coredomain_violation_list, cursor) {
+ c = list_entry(cursor, typeof(*c), listify);
+ fprintf(stderr, "Forbidden attribute " COREDOMAIN " assigned to domain \"%s\" in "
+ "File \"%s\" on line %d\n", c->domain, c->filename, c->lineno);
+ coredomain_violation = true;
+ }
+
+ if (coredomain_violation) {
+ fprintf(stderr, "********************************************************************************\n");
+ fprintf(stderr, "You tried to assign coredomain with vendor seapp_contexts, which is not allowed.\n"
+ "Either move offending entries to system, system_ext, or product seapp_contexts,\n"
+ "or remove 'coredomain' attribute from the domains.\n"
+ "See an example of how to fix this:\n"
+ "https://android-review.googlesource.com/2671075\n");
+ fprintf(stderr, "********************************************************************************\n");
+ found_issues = true;
+ }
+
if (found_issues) {
exit(EXIT_FAILURE);
}
@@ -1306,6 +1383,7 @@
list_free(&input_file_list);
list_free(&line_order_list);
list_free(&nallow_list);
+ list_free(&coredomain_violation_list);
hdestroy();
}
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 83c631e..051e24b 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -7,6 +7,7 @@
#include <sepol/module.h>
#include <sepol/policydb/policydb.h>
#include <sepol/sepol.h>
+#include <selinux/context.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
#include <sys/stat.h>
@@ -209,8 +210,14 @@
"If -e is specified, then the context_file is allowed to be empty.\n\n"
"usage2: %s -c file_contexts1 file_contexts2\n\n"
- "Compares two file contexts files and reports one of subset, equal, superset, or incomparable.\n\n",
- name, name);
+ "Compares two file contexts files and reports one of \n"
+ "subset, equal, superset, or incomparable.\n\n"
+
+ "usage3: %s -t file_contexts test_data\n\n"
+ "Validates a file contexts file against test_data.\n"
+ "test_data is a text file where each line has the format:\n"
+ " path expected_type\n\n\n",
+ name, name, name);
exit(1);
}
@@ -264,6 +271,88 @@
printf("%s\n", result_str[result]);
}
+static int warnings = 0;
+static int log_callback(int type, const char *fmt, ...) {
+ va_list ap;
+
+ if (type == SELINUX_WARNING) {
+ warnings += 1;
+ }
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ return 0;
+}
+
+static void do_test_data_and_die_on_error(struct selinux_opt opts[], unsigned int backend,
+ char *paths[])
+{
+ opts[0].value = NULL; /* not validating against a policy */
+ opts[1].value = paths[0];
+ global_state.sepolicy.sehnd[0] = selabel_open(backend, opts, 2);
+ if (!global_state.sepolicy.sehnd[0]) {
+ fprintf(stderr, "Error: could not load context file from %s: %s\n",
+ paths[0], strerror(errno));
+ exit(1);
+ }
+
+ FILE* test_data = fopen(paths[1], "r");
+ if (test_data == NULL) {
+ fprintf(stderr, "Error: could not load test file from %s : %s\n",
+ paths[1], strerror(errno));
+ exit(1);
+ }
+
+ char line[1024];
+ while (fgets(line, sizeof(line), test_data)) {
+ char *path;
+ char *expected_type;
+
+ if (!strcmp(line, "\n") || line[0] == '#') {
+ continue;
+ }
+
+ int ret = sscanf(line, "%ms %ms", &path, &expected_type);
+ if (ret != 2) {
+ fprintf(stderr, "Error: unable to parse the line %s\n", line);
+ exit(1);
+ }
+
+ char *found_context;
+ ret = selabel_lookup(global_state.sepolicy.sehnd[0], &found_context, path, 0);
+ if (ret != 0) {
+ fprintf(stderr, "Error: unable to lookup the path for %s\n", line);
+ exit(1);
+ }
+
+ context_t found = context_new(found_context);
+ const char *found_type = context_type_get(found);
+
+ if (strcmp(found_type, expected_type)) {
+ fprintf(stderr, "Incorrect type for %s: resolved to %s, expected %s\n",
+ path, found_type, expected_type);
+ }
+
+ free(found_context);
+ context_free(found);
+ free(path);
+ free(expected_type);
+ }
+ fclose(test_data);
+
+ // Prints the coverage of file_contexts on the test data. It includes
+ // warnings for rules that have not been hit by any test example.
+ union selinux_callback cb;
+ cb.func_log = log_callback;
+ selinux_set_callback(SELINUX_CB_LOG, cb);
+ selabel_stats(global_state.sepolicy.sehnd[0]);
+ if (warnings) {
+ fprintf(stderr, "No test entries were found for the contexts above. " \
+ "You may need to update %s.\n", paths[1]);
+ exit(1);
+ }
+}
+
static void do_fc_check_and_die_on_error(struct selinux_opt opts[], unsigned int backend, filemode mode,
const char *sepolicy_file, const char *context_file, bool allow_empty)
{
@@ -345,11 +434,12 @@
bool allow_empty = false;
bool compare = false;
+ bool test_data = false;
char c;
filemode mode = filemode_file_contexts;
- while ((c = getopt(argc, argv, "clpsve")) != -1) {
+ while ((c = getopt(argc, argv, "clpsvet")) != -1) {
switch (c) {
case 'c':
compare = true;
@@ -373,6 +463,9 @@
mode = filemode_vendor_service_contexts;
backend = SELABEL_CTX_ANDROID_SERVICE;
break;
+ case 't':
+ test_data = true;
+ break;
case 'h':
default:
usage(argv[0]);
@@ -385,7 +478,7 @@
usage(argv[0]);
}
- if (compare && backend != SELABEL_CTX_FILE) {
+ if ((compare || test_data) && backend != SELABEL_CTX_FILE) {
usage(argv[0]);
}
@@ -393,6 +486,8 @@
if (compare) {
do_compare_and_die_on_error(opts, backend, &(argv[index]));
+ } else if (test_data) {
+ do_test_data_and_die_on_error(opts, backend, &(argv[index]));
} else {
/* remaining args are sepolicy file and context file */
char *sepolicy_file = argv[index];
diff --git a/tools/finalize-sdk-rel.sh b/tools/finalize-sdk-rel.sh
new file mode 100755
index 0000000..80c6fa8
--- /dev/null
+++ b/tools/finalize-sdk-rel.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# Copyright (C) 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ $# -ne 2 ]; then
+ echo "Usage: $0 <top> <ver>"
+ exit 1
+fi
+
+top=$1
+ver=$2
+
+mkdir -p "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+cp -r "$top/system/sepolicy/public/" "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+cp -r "$top/system/sepolicy/private/" "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+
+cat > "$top/system/sepolicy/prebuilts/api/${ver}.0/Android.bp" <<EOF
+// Automatically generated file, do not edit!
+se_policy_conf {
+ name: "${ver}.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_${ver}.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_plat_pub_policy.cil",
+ src: ":${ver}.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "${ver}.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_${ver}.0}",
+ ":se_build_files{.system_ext_public_${ver}.0}",
+ ":se_build_files{.product_public_${ver}.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_product_pub_policy.cil",
+ src: ":${ver}.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "${ver}.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_${ver}.0}",
+ ":se_build_files{.plat_private_${ver}.0}",
+ ":se_build_files{.system_ext_public_${ver}.0}",
+ ":se_build_files{.system_ext_private_${ver}.0}",
+ ":se_build_files{.product_public_${ver}.0}",
+ ":se_build_files{.product_private_${ver}.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_plat_policy.cil",
+ src: ":${ver}.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_${ver}.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "${ver}.0_plat_policy",
+ srcs: [":${ver}.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+EOF
diff --git a/tools/policy_version_check.sh b/tools/policy_version_check.sh
index 33ce861..f82c53d 100755
--- a/tools/policy_version_check.sh
+++ b/tools/policy_version_check.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]')
+MK=$(awk -F= '/PolicyVers/ { print $2 }' build/soong/policy.go | tr -d ' [:space:]')
BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
if [ "$MK" != "$BP" ]; then
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index cd61c9a..a941d6f 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -223,6 +223,7 @@
name: "plat_{ver}.cil",
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.plat_private}}"],
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -230,6 +231,7 @@
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -237,11 +239,13 @@
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.product_private}}"],
product_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
name: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.plat_private}}"],
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -249,6 +253,7 @@
stem: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -256,11 +261,13 @@
stem: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.product_private}}"],
product_specific: true,
+ version: "{ver}",
}}
se_compat_cil {{
name: "{ver}.compat.cil",
srcs: [":{ver}.board.compat.cil{{.plat_private}}"],
+ version: "{ver}",
}}
se_compat_cil {{
@@ -268,6 +275,7 @@
stem: "{ver}.compat.cil",
srcs: [":{ver}.board.compat.cil{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
"""
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index c8d5b46..9d6960b 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -11,15 +11,9 @@
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
-# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
-# make file of the system_ext partition.
-SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
-# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
-# make file of the product partition.
-PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
IS_TREBLE_TEST_ENABLED_PARTNER := false
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
+ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
IS_TREBLE_TEST_ENABLED_PARTNER := true
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
@@ -30,59 +24,7 @@
# built to enable us to determine the diff between the current policy and the
# $(version) policy, which will be used in tests to make sure that compatibility has
# been maintained by our mapping files.
-$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
-ifneq (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(PRODUCT_PREBUILT_POLICY))
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
-$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
-$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$($(version)_plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-policy_files :=
-
-built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
-$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
-$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
-
-# TODO(b/214336258): move to Soong
-$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
-
-$(version)_plat_policy.conf :=
+built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \
@@ -106,51 +48,31 @@
# combining the current platform policy with nonplatform policy based on the
# $(version) policy release and also a special ignored file that exists purely for
# these tests.
+intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
mkdir -p $(dir $@)
cat $^ > $@
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-built_sepolicy_files := $(built_product_sepolicy)
public_cil_files := $(base_product_pub_policy.cil)
else
-built_sepolicy_files := $(built_plat_sepolicy)
public_cil_files := $(base_plat_pub_policy.cil)
endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
-ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
-# TODO(b/113124961): remove fake-treble
-$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
-endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(all_fc_files) $(built_sepolicy) \
- $(built_sepolicy_files) \
$(public_cil_files) \
- $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
+ $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
- -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
- -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
- $(PRIVATE_FAKE_TREBLE)
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
+ -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+ -o $(PRIVATE_SEPOLICY_OLD)
$(hide) touch $@
-$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
-$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
-$(version)_PRODUCT_PUBLIC_POLICY :=
-$(version)_PRODUCT_PRIVATE_POLICY :=
-$(version)_PLAT_PUBLIC_POLICY :=
-$(version)_PLAT_PRIVATE_POLICY :=
built_sepolicy_files :=
public_cil_files :=
-cil_files :=
$(version)_mapping.cil :=
$(version)_mapping.combined.cil :=
$(version)_mapping.ignore.cil :=
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a2e460d..8e4ddb5 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,11 +14,13 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.ivn@V1-(.*)-service u:object_r:hal_ivn_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[1-3]-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V[1-2]-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.finder-service\.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.ranging-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
@@ -28,12 +30,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio-service.default u:object_r:hal_broadcastradio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service-lazy u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service-lazy_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-service-lazy u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V[0-9]+)-external-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
@@ -54,7 +56,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V1-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V[1-2]-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
@@ -76,6 +78,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.macsec-service u:object_r:hal_macsec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
@@ -96,11 +100,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure u:object_r:hal_authgraph_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.secretkeeper-service.nonsecure u:object_r:hal_secretkeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.threadnetwork-service(\.sim)? u:object_r:hal_threadnetwork_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.cec-service u:object_r:hal_tv_hdmi_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.connection-service u:object_r:hal_tv_hdmi_connection_default_exec:s0
@@ -123,7 +130,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant_macsec u:object_r:wpa_supplicant_macsec_exec:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+/(vendor|system/vendor)/bin/ot-rcp u:object_r:ot_rcp_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################
@@ -147,3 +156,46 @@
#
/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0
/data/vendor/wifi/wpa(/.*)? u:object_r:wpa_data_file:s0
+
+#############################
+# Vendor libraries loaded from SP-HAL (former VNDK-SP)
+#
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.common-V2-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.common\.fmq-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.allocator-V2-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common-V4-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.1\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.common@1\.2\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.composer3-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@2\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@2\.1\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hardware\.renderscript@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory\.token@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/android\.hidl\.safe_union@1\.0\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libRSCpuRef\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libRSDriver\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libRS_internal\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libbase\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libbcinfo\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libblas\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libc\+\+\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libcompiler_rt\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libcutils\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libdmabufheap\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libgralloctypes\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhardware\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhidlbase\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhidlmemory\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libion\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libjsoncpp\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/liblzma\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libprocessgroup\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libunwindstack\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libutils\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libutilscallstack\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libz\.so u:object_r:same_process_hal_file:s0
diff --git a/vendor/hal_authgraph_default.te b/vendor/hal_authgraph_default.te
new file mode 100644
index 0000000..1676cca
--- /dev/null
+++ b/vendor/hal_authgraph_default.te
@@ -0,0 +1,5 @@
+type hal_authgraph_default, domain;
+hal_server_domain(hal_authgraph_default, hal_authgraph)
+
+type hal_authgraph_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_authgraph_default)
diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te
index ab474d6..4b4ee46 100644
--- a/vendor/hal_drm_clearkey.te
+++ b/vendor/hal_drm_clearkey.te
@@ -4,3 +4,4 @@
init_daemon_domain(hal_drm_clearkey_aidl)
hal_server_domain(hal_drm_clearkey_aidl, hal_drm)
+allow hal_drm_clearkey_aidl mediacodec:fd use;
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index 0bdb7fd..9ed7a8a 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -32,3 +32,7 @@
# allow to access graphics related properties
get_prop(hal_evs_default, graphics_config_prop);
+get_prop(hal_evs_default, graphics_config_writable_prop)
+
+# allow to use binder IPC.
+binder_use(hal_evs_default)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 7173223..e380ebd 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -8,3 +8,8 @@
allow hal_fingerprint_default fwk_sensor_service:service_manager find;
set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)
+
+userdebug_or_eng(`
+ # Allow fingerprint hal to read app-created pipes (to respond shell commands from test apps)
+ allow hal_fingerprint_default appdomain:fifo_file read;
+')
diff --git a/vendor/hal_macsec_default.te b/vendor/hal_macsec_default.te
new file mode 100644
index 0000000..19b3d16
--- /dev/null
+++ b/vendor/hal_macsec_default.te
@@ -0,0 +1,8 @@
+type hal_macsec_default, domain;
+hal_server_domain(hal_macsec_default, hal_macsec)
+
+type hal_macsec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_macsec_default)
+
+# Allow registering with service manager.
+binder_call(hal_macsec_default, servicemanager)
diff --git a/vendor/hal_secretkeeper_default.te b/vendor/hal_secretkeeper_default.te
new file mode 100644
index 0000000..50f4ac1
--- /dev/null
+++ b/vendor/hal_secretkeeper_default.te
@@ -0,0 +1,5 @@
+type hal_secretkeeper_default, domain;
+hal_server_domain(hal_secretkeeper_default, hal_secretkeeper)
+
+type hal_secretkeeper_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secretkeeper_default)
diff --git a/vendor/hal_threadnetwork_default.te b/vendor/hal_threadnetwork_default.te
new file mode 100644
index 0000000..3a24269
--- /dev/null
+++ b/vendor/hal_threadnetwork_default.te
@@ -0,0 +1,5 @@
+type hal_threadnetwork_default, domain;
+hal_server_domain(hal_threadnetwork_default, hal_threadnetwork)
+
+type hal_threadnetwork_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_threadnetwork_default)
diff --git a/vendor/ot_rcp.te b/vendor/ot_rcp.te
new file mode 100644
index 0000000..b1f57a7
--- /dev/null
+++ b/vendor/ot_rcp.te
@@ -0,0 +1,17 @@
+#
+# ot_rcp is the simulated Thread Radio Coprocessor device which is used by
+# Thread Network HAL for simulating the Thread radio chip.
+#
+type ot_rcp, domain;
+type ot_rcp_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+domain_auto_trans(hal_threadnetwork_default, ot_rcp_exec, ot_rcp)
+allow hal_threadnetwork_default devpts:chr_file {open read write ioctl};
+allow ot_rcp hal_threadnetwork_default:fd use;
+allow ot_rcp hal_threadnetwork_default:fifo_file rw_file_perms;
+allow ot_rcp devpts:chr_file {read write ioctl};
+allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
+allow ot_rcp node:udp_socket node_bind;
+allow ot_rcp port:udp_socket name_bind;
+')
diff --git a/vendor/wpa_supplicant_macsec.te b/vendor/wpa_supplicant_macsec.te
new file mode 100644
index 0000000..1b90ac7
--- /dev/null
+++ b/vendor/wpa_supplicant_macsec.te
@@ -0,0 +1,28 @@
+# wpa supplicant macsec or equivalent
+type wpa_supplicant_macsec, domain;
+type wpa_supplicant_macsec_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(wpa_supplicant_macsec)
+
+net_domain(wpa_supplicant_macsec)
+
+# Allow wpa_supplicant to configure nl80211
+allow wpa_supplicant_macsec proc_net_type:file write;
+
+# in addition to ioctls allowlisted for all domains, grant wpa_supplicant_macsec priv_sock_ioctls.
+allowxperm wpa_supplicant_macsec self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(wpa_supplicant_macsec, sysfs_type)
+r_dir_file(wpa_supplicant_macsec, proc_net_type)
+
+allow wpa_supplicant_macsec self:global_capability_class_set { setuid net_admin setgid net_raw };
+allow wpa_supplicant_macsec cgroup:dir create_dir_perms;
+allow wpa_supplicant_macsec cgroup_v2:dir create_dir_perms;
+allow wpa_supplicant_macsec self:netlink_route_socket nlmsg_write;
+allow wpa_supplicant_macsec self:netlink_socket create_socket_perms_no_ioctl;
+allow wpa_supplicant_macsec self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow wpa_supplicant_macsec self:packet_socket create_socket_perms;
+allowxperm wpa_supplicant_macsec self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+binder_use(wpa_supplicant_macsec)
+hal_client_domain(wpa_supplicant_macsec, hal_macsec)
+
