system_server: replace sys_resource with sys_ptrace am: 3d8dde0e2e am: dddbd2f3ba am: 5ee080531d am: 6b3ef92103
am: ed21f85552
Change-Id: Iba0094323da99989b1abf4e7002facce9af20e39
diff --git a/Android.mk b/Android.mk
index 0bfa54d..b7db00b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,7 +1,30 @@
LOCAL_PATH:= $(call my-dir)
-include $(CLEAR_VARS)
+# PLATFORM_SEPOLICY_VERSION is a number of the form "NN.m" with "NN" mapping to
+# PLATFORM_SDK_VERSION and "m" as a minor number which allows for SELinux
+# changes independent of PLATFORM_SDK_VERSION. This value will be set to
+# 10000.0 to represent tip-of-tree development that is inherently unstable and
+# thus designed not to work with any shipping vendor policy. This is similar in
+# spirit to how DEFAULT_APP_TARGET_SDK is set.
+# The minor version ('m' component) must be updated every time a platform release
+# is made which breaks compatibility with the previous platform sepolicy version,
+# not just on every increase in PLATFORM_SDK_VERSION. The minor version should
+# be reset to 0 on every bump of the PLATFORM_SDK_VERSION.
+sepolicy_major_vers := 26
+sepolicy_minor_vers := 0
+ifneq ($(sepolicy_major_vers), $(PLATFORM_SDK_VERSION))
+$(error sepolicy_major_version does not match PLATFORM_SDK_VERSION, please update.)
+endif
+ifneq (REL,$(PLATFORM_VERSION_CODENAME))
+ sepolicy_major_vers := 10000
+ sepolicy_minor_vers := 0
+endif
+PLATFORM_SEPOLICY_VERSION := $(join $(addsuffix .,$(sepolicy_major_vers)), $(sepolicy_minor_vers))
+sepolicy_major_vers :=
+sepolicy_minor_vers :=
+
+include $(CLEAR_VARS)
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
@@ -26,13 +49,68 @@
LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
endif
-# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS and the LOCAL_PATH.
-# $(1): the set of policy name paths to build
-build_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file)))))
+# sepolicy is now divided into multiple portions:
+# public - policy exported on which non-platform policy developers may write
+# additional policy. types and attributes are versioned and included in
+# delivered non-platform policy, which is to be combined with platform policy.
+# private - platform-only policy required for platform functionality but which
+# is not exported to vendor policy developers and as such may not be assumed
+# to exist.
+# vendor - vendor-only policy required for vendor functionality. This policy can
+# reference the public policy but cannot reference the private policy. This
+# policy is for components which are produced from the core/non-vendor tree and
+# placed into a vendor partition.
+# mapping - This contains policy statements which map the attributes
+# exposed in the public policy of previous versions to the concrete types used
+# in this policy to ensure that policy targeting attributes from public
+# policy from an older platform version continues to work.
+
+# build process for device:
+# 1) convert policies to CIL:
+# - private + public platform policy to CIL
+# - mapping file to CIL (should already be in CIL form)
+# - non-platform public policy to CIL
+# - non-platform public + private policy to CIL
+# 2) attributize policy
+# - run script which takes non-platform public and non-platform combined
+# private + public policy and produces attributized and versioned
+# non-platform policy
+# 3) combine policy files
+# - combine mapping, platform and non-platform policy.
+# - compile output binary policy file
+
+PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
+REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
+
+# TODO: move to README when doing the README update and finalizing versioning.
+# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy
+# version identifier corresponding to the sepolicy on which the non-platform
+# policy is to be based. If unspecified, this will build against the current
+# public platform policy in tree
+ifndef BOARD_SEPOLICY_VERS
+$(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version)
+# The default platform policy version.
+BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
+endif
+
+
+platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
+
+###########################################################
+# Compute policy files to be used in policy build.
+# $(1): files to include
+# $(2): directories in which to find files
+###########################################################
+
+define build_policy
+$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
+endef
# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_device_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file)))))
+build_device_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
# Add a file containing only a newline in-between each policy configuration
# 'contexts' file. This will allow OEM policy configuration files without a
@@ -47,6 +125,7 @@
global_macros \
neverallow_macros \
mls_macros \
+ mls_decl \
mls \
policy_capabilities \
te_macros \
@@ -54,6 +133,7 @@
ioctl_defines \
ioctl_macros \
*.te \
+ roles_decl \
roles \
users \
initial_sid_contexts \
@@ -61,6 +141,123 @@
genfs_contexts \
port_contexts
+# CIL files which contain workarounds for current limitation of human-readable
+# module policy language. These files are appended to the CIL files produced
+# from module language files.
+sepolicy_build_cil_workaround_files := technical_debt.cil
+
+my_target_arch := $(TARGET_ARCH)
+ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
+ my_target_arch := mips
+endif
+
+intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
+
+with_asan := false
+ifneq (,$(filter address,$(SANITIZE_TARGET)))
+ with_asan := true
+endif
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy
+LOCAL_MODULE_TAGS := optional
+# Include SELinux policy. We do this here because different modules
+# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# type of conditional inclusion cannot be done in top-level files such
+# as build/target/product/embedded.mk.
+# This conditional inclusion closely mimics the conditional logic
+# inside init/init.cpp for loading SELinux policy from files.
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+
+# Use split SELinux policy
+LOCAL_REQUIRED_MODULES += \
+ $(platform_mapping_file) \
+ nonplat_sepolicy.cil \
+ plat_sepolicy.cil \
+ plat_and_mapping_sepolicy.cil.sha256 \
+ secilc \
+ nonplat_file_contexts \
+ plat_file_contexts \
+ plat_sepolicy_vers.txt
+
+# Include precompiled policy, unless told otherwise
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
+endif
+
+else
+# Use monolithic SELinux policy
+LOCAL_REQUIRED_MODULES += sepolicy \
+ file_contexts.bin
+endif
+include $(BUILD_PHONY_PACKAGE)
+
+##################################
+# reqd_policy_mask - a policy.conf file which contains only the bare minimum
+# policy necessary to use checkpolicy. This bare-minimum policy needs to be
+# present in all policy.conf files, but should not necessarily be exported as
+# part of the public policy. The rules generated by reqd_policy_mask will allow
+# the compilation of public policy and subsequent removal of CIL policy that
+# should not be exported.
+
+reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
+$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+ -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
+ -s $^ > $@
+
+reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
+$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c $(POLICYVERS) -o $@ $<
+
+reqd_policy_mask.conf :=
+
+##################################
+# plat_pub_policy - policy that will be exported to be a part of non-platform
+# policy corresponding to this platform version. This is a limited subset of
+# policy that would not compile in checkpolicy on its own. To get around this
+# limitation, add only the required files from private policy, which will
+# generate CIL policy that will then be filtered out by the reqd_policy_mask.
+plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
+$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+ -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
+ -s $^ > $@
+
+plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
+$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
+$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
+ $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
+
+plat_pub_policy.conf :=
+
##################################
include $(CLEAR_VARS)
@@ -79,6 +276,208 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := plat_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# plat_policy.conf - A combination of the private and public platform policy
+# which will ship with the device. The platform will always reflect the most
+# recent platform version and is not currently being attributized.
+plat_policy.conf := $(intermediates)/plat_policy.conf
+$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+ -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
+ -s $^ > $@
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
+
+built_plat_cil := $(LOCAL_BUILT_MODULE)
+plat_policy.conf :=
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_sepolicy_vers.txt
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) :
+ mkdir -p $(dir $@)
+ echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := $(platform_mapping_file)
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# auto-generate the mapping file for current platform policy, since it needs to
+# track platform policy development
+current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
+$(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
+$(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+
+
+ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
+mapping_policy := $(current_mapping.cil)
+else
+mapping_policy := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
+endif
+
+$(LOCAL_BUILT_MODULE): $(mapping_policy) $(ACP)
+ $(hide) $(ACP) $< $@
+
+built_mapping_cil := $(LOCAL_BUILT_MODULE)
+current_mapping.cil :=
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := nonplat_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# nonplat_policy.conf - A combination of the non-platform private, vendor and
+# the exported platform policy associated with the version the non-platform
+# policy targets. This needs attributization and to be combined with the
+# platform-provided policy. Like plat_pub_policy.conf, this needs to make use
+# of the reqd_policy_mask files from private policy in order to use checkpolicy.
+nonplat_policy.conf := $(intermediates)/nonplat_policy.conf
+$(nonplat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(nonplat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+ @mkdir -p $(dir $@)
+ $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+ -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
+ -s $^ > $@
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+nonplat_policy_raw := $(intermediates)/nonplat_policy_raw.cil
+$(nonplat_policy_raw): PRIVATE_POL_CONF := $(nonplat_policy.conf)
+$(nonplat_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(nonplat_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.conf) \
+$(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
+ $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
+
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
+$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
+$(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_mapping_cil)
+ @mkdir -p $(dir $@)
+ $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) \
+ $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+built_nonplat_cil := $(LOCAL_BUILT_MODULE)
+nonplat_policy.conf :=
+nonplat_policy_raw :=
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := precompiled_sepolicy
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := \
+$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
+
+built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
+
+#################################
+# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
+# which precompiled_policy was built.
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+# build this target so that we can still perform neverallow checks
+
LOCAL_MODULE := sepolicy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -86,22 +485,15 @@
include $(BUILD_SYSTEM)/base_rules.mk
-sepolicy_policy.conf := $(intermediates)/policy.conf
-$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files))
- @mkdir -p $(dir $@)
- $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -s $^ > $@
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+all_cil_files := \
+ $(built_plat_cil) \
+ $(built_mapping_cil) \
+ $(built_nonplat_cil)
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
+ $(hide) $< -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
@@ -113,30 +505,43 @@
$(hide) mv $@.tmp $@
built_sepolicy := $(LOCAL_BUILT_MODULE)
-sepolicy_policy.conf :=
+all_cil_files :=
-##################################
+#################################
include $(CLEAR_VARS)
+# keep concrete sepolicy for neverallow checks
+
LOCAL_MODULE := sepolicy.recovery
+LOCAL_MODULE_STEM := sepolicy
LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := eng
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
-$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files))
+sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
+$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_recovery=true \
-s $^ > $@
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
+$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
@@ -149,10 +554,12 @@
fi
$(hide) mv $@.tmp $@
-built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
-sepolicy_policy_recovery.conf :=
+sepolicy.recovery.conf :=
##################################
+# SELinux policy embedded into CTS.
+# CTS checks neverallow rules of this policy against the policy of the device under test.
+##################################
include $(CLEAR_VARS)
LOCAL_MODULE := general_sepolicy.conf
@@ -161,37 +568,24 @@
include $(BUILD_SYSTEM)/base_rules.mk
-exp_sepolicy_build_files :=\
- $(foreach file, $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)), $(sort $(wildcard $(file))))
-
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=user \
+ -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=false \
+ -D target_full_treble=cts \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
-exp_sepolicy_build_files :=
-
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy.general
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF)
-
-built_general_sepolicy := $(LOCAL_BUILT_MODULE)
-##################################
+# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
+#
include $(CLEAR_VARS)
LOCAL_MODULE := file_contexts.bin
@@ -216,9 +610,9 @@
# Note: That a newline file is placed between each file_context file found to
# ensure a proper build when an fc file is missing an ending newline.
-local_fc_files := $(LOCAL_PATH)/file_contexts
+local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files := $(local_fc_files) $(LOCAL_PATH)/file_contexts_asan
+ local_fc_files := $(local_fc_files) $(PLAT_PRIVATE_POLICY)/file_contexts_asan
endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
@@ -267,238 +661,481 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := general_file_contexts.bin
+LOCAL_MODULE := file_contexts.bin.recovery
+LOCAL_MODULE_STEM := file_contexts.bin
LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-general_file_contexts.tmp := $(intermediates)/general_file_contexts.tmp
-$(general_file_contexts.tmp): $(addprefix $(LOCAL_PATH)/, file_contexts)
- @mkdir -p $(dir $@)
- $(hide) m4 -s $< > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(LOCAL_BUILT_MODULE): $(general_file_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
- $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-
-general_file_contexts.tmp :=
+$(LOCAL_BUILT_MODULE): $(built_fc)
+ $(hide) cp -f $< $@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := seapp_contexts
+
+LOCAL_MODULE := plat_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
-all_sc_files := $(call build_policy, seapp_contexts)
+local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
+ifneq ($(filter address,$(SANITIZE_TARGET)),)
+ local_fc_files += $(PLAT_PRIVATE_POLICY)/file_contexts_asan
+endif
+local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
+$(local_fcfiles_with_nl) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
+ $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
+
+built_plat_fc := $(LOCAL_BUILT_MODULE)
+local_fc_files :=
+local_fcfiles_with_nl :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := nonplat_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+nonplat_fc_files := $(call build_device_policy, file_contexts)
+nonplat_fcfiles_with_nl := $(call add_nl, $(nonplat_fc_files), $(built_nl))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(nonplat_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
+$(nonplat_fcfiles_with_nl) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
+ $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
+
+built_nonplat_fc := $(LOCAL_BUILT_MODULE)
+nonplat_fc_files :=
+nonplat_fcfiles_with_nl :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := plat_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(all_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(all_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
-built_sc := $(LOCAL_BUILT_MODULE)
-all_sc_files :=
+built_plat_sc := $(LOCAL_BUILT_MODULE)
+plat_sc_files :=
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := general_seapp_contexts
+LOCAL_MODULE := nonplat_seapp_contexts
LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
include $(BUILD_SYSTEM)/base_rules.mk
-all_sc_files := $(addprefix $(LOCAL_PATH)/, seapp_contexts)
+nonplat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+plat_sc_neverallow_files := $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILE := $(all_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy) $(all_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(nonplat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILE)
+ $(hide) grep -ie '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-all_sc_files :=
+built_nonplat_sc := $(LOCAL_BUILT_MODULE)
+nonplat_sc_files :=
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := general_seapp_neverallows
+LOCAL_MODULE := plat_seapp_neverallows
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(addprefix $(LOCAL_PATH)/, seapp_contexts)
+$(LOCAL_BUILT_MODULE): $(plat_sc_neverallow_files)
@mkdir -p $(dir $@)
- $(hide) grep -ie '^neverallow' $< > $@
+plat_sc_neverallow_files :=
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := property_contexts
+LOCAL_MODULE := plat_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
+
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
include $(BUILD_SYSTEM)/base_rules.mk
-all_pc_files := $(call build_policy, property_contexts)
-all_pcfiles_with_nl := $(call add_nl, $(all_pc_files), $(built_nl))
+plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY))
-property_contexts.tmp := $(intermediates)/property_contexts.tmp
-$(property_contexts.tmp): PRIVATE_PC_FILES := $(all_pcfiles_with_nl)
-$(property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(property_contexts.tmp): $(all_pcfiles_with_nl)
+plat_property_contexts.tmp := $(intermediates)/plat_property_contexts.tmp
+$(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles)
+$(plat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_property_contexts.tmp): $(plat_pcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ $(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< | sort -u -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+
+built_plat_pc := $(LOCAL_BUILT_MODULE)
+plat_pcfiles :=
+plat_property_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := nonplat_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+nonplat_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+nonplat_property_contexts.tmp := $(intermediates)/nonplat_property_contexts.tmp
+$(nonplat_property_contexts.tmp): PRIVATE_PC_FILES := $(nonplat_pcfiles)
+$(nonplat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_property_contexts.tmp): $(nonplat_pcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(nonplat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
- $(hide) $(ACP) $< $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $<
+ $(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< | sort -u -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
-built_pc := $(LOCAL_BUILT_MODULE)
-all_pc_files :=
-all_pcfiles_with_nl :=
-property_contexts.tmp :=
+built_nonplat_pc := $(LOCAL_BUILT_MODULE)
+nonplat_pcfiles :=
+nonplat_property_contexts.tmp :=
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := general_property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-general_property_contexts.tmp := $(intermediates)/general_property_contexts.tmp
-$(general_property_contexts.tmp): $(addprefix $(LOCAL_PATH)/, property_contexts)
- @mkdir -p $(dir $@)
- $(hide) m4 -s $< > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(LOCAL_BUILT_MODULE): $(general_property_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- $(hide) $(ACP) $< $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $<
-
-general_property_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := service_contexts
+LOCAL_MODULE := plat_property_contexts.recovery
+LOCAL_MODULE_STEM := plat_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-all_svc_files := $(call build_policy, service_contexts)
-all_svcfiles_with_nl := $(call add_nl, $(all_svc_files), $(built_nl))
+$(LOCAL_BUILT_MODULE): $(built_plat_pc)
+ $(hide) cp -f $< $@
-service_contexts.tmp := $(intermediates)/service_contexts.tmp
-$(service_contexts.tmp): PRIVATE_SVC_FILES := $(all_svcfiles_with_nl)
-$(service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(service_contexts.tmp): $(all_svcfiles_with_nl)
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := nonplat_property_contexts.recovery
+LOCAL_MODULE_STEM := nonplat_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_nonplat_pc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY))
+
+plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp
+$(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
+$(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_service_contexts.tmp): $(plat_svcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $<
- $(hide) $(ACP) $< $@
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
-built_svc := $(LOCAL_BUILT_MODULE)
-all_svc_files :=
-all_svcfiles_with_nl :=
-service_contexts.tmp :=
+built_plat_svc := $(LOCAL_BUILT_MODULE)
+plat_svcfiles :=
+plat_service_contexts.tmp :=
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := general_service_contexts
+LOCAL_MODULE := nonplat_service_contexts
LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
include $(BUILD_SYSTEM)/base_rules.mk
-general_service_contexts.tmp := $(intermediates)/general_service_contexts.tmp
-$(general_service_contexts.tmp): $(addprefix $(LOCAL_PATH)/, service_contexts)
- @mkdir -p $(dir $@)
- $(hide) m4 -s $< > $@
+nonplat_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(LOCAL_BUILT_MODULE): $(general_service_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+nonplat_service_contexts.tmp := $(intermediates)/nonplat_service_contexts.tmp
+$(nonplat_service_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_svcfiles)
+$(nonplat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_service_contexts.tmp): $(nonplat_svcfiles)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $<
- $(hide) $(ACP) $< $@
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-general_service_contexts.tmp :=
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(nonplat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+built_nonplat_svc := $(LOCAL_BUILT_MODULE)
+nonplat_svcfiles :=
+nonplat_service_contexts.tmp :=
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := mac_permissions.xml
+LOCAL_MODULE := plat_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY))
+
+plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp
+$(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles)
+$(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+plat_hwsvcfiles :=
+plat_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := nonplat_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+nonplat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+nonplat_hwservice_contexts.tmp := $(intermediates)/nonplat_hwservice_contexts.tmp
+$(nonplat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_hwsvcfiles)
+$(nonplat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_hwservice_contexts.tmp): $(nonplat_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(nonplat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+nonplat_hwsvcfiles :=
+nonplat_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vndservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
+$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
+$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vndservice_contexts.tmp): $(vnd_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
+
+vnd_svcfiles :=
+vndservice_contexts.tmp :=
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
# Build keys.conf
-mac_perms_keys.tmp := $(intermediates)/keys.tmp
-$(mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(mac_perms_keys.tmp): $(call build_policy, keys.conf)
+plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
+$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY))
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-all_mac_perms_files := $(call build_policy, $(LOCAL_MODULE))
+all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(all_mac_perms_files)
+# Should be synced with keys.conf.
+all_plat_keys := platform media shared testkey
+all_plat_keys := $(all_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_plat_mac_perms_files) $(all_plat_keys)
@mkdir -p $(dir $@)
$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-mac_perms_keys.tmp :=
all_mac_perms_files :=
+all_plat_keys :=
+plat_mac_perms_keys.tmp :=
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := selinux_version
+LOCAL_MODULE := nonplat_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
+
+# Build keys.conf
+nonplat_mac_perms_keys.tmp := $(intermediates)/nonplat_keys.tmp
+$(nonplat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
- $(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_nonplat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_nonplat_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(nonplat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_nonplat_mac_perms_files)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+nonplat_mac_perms_keys.tmp :=
+all_nonplat_mac_perms_files :=
##################################
-build_policy :=
-build_device_policy :=
-sepolicy_build_files :=
-built_sepolicy :=
-built_sepolicy_recovery :=
-built_sc :=
-built_fc :=
-built_pc :=
-built_svc :=
-built_general_sepolicy :=
-built_general_sepolicy.conf :=
-built_nl :=
add_nl :=
+build_device_policy :=
+build_policy :=
+built_plat_fc :=
+built_nonplat_fc :=
+built_nl :=
+built_plat_cil :=
+built_mapping_cil :=
+built_plat_pc :=
+built_nonplat_cil :=
+built_nonplat_pc :=
+built_nonplat_sc :=
+built_plat_sc :=
+built_precompiled_sepolicy :=
+built_sepolicy :=
+built_plat_svc :=
+built_nonplat_svc :=
+mapping_policy :=
+my_target_arch :=
+plat_pub_policy.cil :=
+reqd_policy_mask.cil :=
+sepolicy_build_files :=
+sepolicy_build_cil_workaround_files :=
+with_asan :=
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/CleanSpec.mk b/CleanSpec.mk
index f141e34..0933115 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -50,3 +50,24 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/file_contexts)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/file_contexts)
+
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/service_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/service_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/plat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/plat_property_contexts)
+
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/property_contexts)
+
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/property_contexts)
+
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_property_contexts)
+
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/mapping_sepolicy.cil)
diff --git a/PREUPLOAD.cfg b/PREUPLOAD.cfg
new file mode 100644
index 0000000..468243a
--- /dev/null
+++ b/PREUPLOAD.cfg
@@ -0,0 +1,2 @@
+[Hook Scripts]
+whitespace = tools/whitespace.sh ${PREUPLOAD_FILES}
diff --git a/README b/README
index a3c75b8..0cc8e30 100644
--- a/README
+++ b/README
@@ -26,7 +26,7 @@
For example, if you have 2 instances of widget.te files in the
BOARD_SEPOLICY_DIRS search path, then the first one found (at the
first search dir containing the file) will be concatenated first.
-Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf
+Reviewing out/target/product/<device>/obj/ETC/sepolicy_intermediates/policy.conf
will help sort out ordering issues.
Example BoardConfig.mk Usage:
diff --git a/attributes b/attributes
deleted file mode 100644
index a846c34..0000000
--- a/attributes
+++ /dev/null
@@ -1,115 +0,0 @@
-######################################
-# Attribute declarations
-#
-
-# All types used for devices.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# in tools/checkfc.c
-attribute dev_type;
-
-# All types used for processes.
-attribute domain;
-
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
-
-# All types used for filesystems.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute fs_type;
-
-# All types used for context= mounts.
-attribute contextmount_type;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-# All types used for /data files.
-attribute data_file_type;
-
-# All types use for sysfs files.
-attribute sysfs_type;
-
-# All types use for debugfs files.
-attribute debugfs_type;
-
-# Attribute used for all sdcards
-attribute sdcard_type;
-
-# All types used for nodes/hosts.
-attribute node_type;
-
-# All types used for network interfaces.
-attribute netif_type;
-
-# All types used for network ports.
-attribute port_type;
-
-# All types used for property service
-# On change, update CHECK_PC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute property_type;
-
-# All properties defined in core SELinux policy. Should not be
-# used by device specific properties
-attribute core_property_type;
-
-# All properties used to configure log filtering.
-attribute log_property_type;
-
-# All service_manager types created by system_server
-attribute system_server_service;
-
-# services which should be available to all but isolated apps
-attribute app_api_service;
-
-# services which export only system_api
-attribute system_api_service;
-
-# All types used for services managed by service_manager.
-# On change, update CHECK_SC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute service_manager_type;
-
-# All domains that can override MLS restrictions.
-# i.e. processes that can read up and write down.
-attribute mlstrustedsubject;
-
-# All types that can override MLS restrictions.
-# i.e. files that can be read by lower and written by higher
-attribute mlstrustedobject;
-
-# All domains used for apps.
-attribute appdomain;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
-# All domains used for apps with bluetooth access.
-attribute bluetoothdomain;
-
-# All domains used for binder service domains.
-attribute binderservicedomain;
-
-# All domains that access the boot_control HAL. The permissions the HAL
-# requires are specific to the implementation provided in each device, but
-# common daemons need to be aware of those when calling into the HAL.
-attribute boot_control_hal;
-
-# update_engine related domains that need to apply an update and run
-# postinstall. This includes the background daemon and the sideload tool from
-# recovery for A/B devices.
-attribute update_engine_common;
diff --git a/audioserver.te b/audioserver.te
deleted file mode 100644
index da12649..0000000
--- a/audioserver.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# audioserver - audio services daemon
-type audioserver, domain;
-type audioserver_exec, exec_type, file_type;
-
-init_daemon_domain(audioserver)
-
-r_dir_file(audioserver, sdcard_type)
-
-binder_use(audioserver)
-binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, { appdomain autoplay_app })
-binder_service(audioserver)
-
-r_dir_file(audioserver, proc)
-allow audioserver ion_device:chr_file r_file_perms;
-allow audioserver system_file:dir r_dir_perms;
-
-userdebug_or_eng(`
- # used for TEE sink - pcm capture for debug.
- allow audioserver media_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:file create_file_perms;
-
- # ptrace to processes in the same domain for memory leak detection
- allow audioserver self:process ptrace;
-')
-
-allow audioserver audio_device:dir r_dir_perms;
-allow audioserver audio_device:chr_file rw_file_perms;
-
-allow audioserver audioserver_service:service_manager { add find };
-allow audioserver appops_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-
-# Grant access to audio files to audioserver
-allow audioserver audio_data_file:dir ra_dir_perms;
-allow audioserver audio_data_file:file create_file_perms;
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
-###
-### neverallow rules
-###
-
-# audioserver should never execute any executable without a
-# domain transition
-neverallow audioserver { file_type fs_type }:file execute_no_trans;
-
-# audioserver should never need network access. Disallow network sockets.
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/autoplay_app.te b/autoplay_app.te
deleted file mode 100644
index f671d5d..0000000
--- a/autoplay_app.te
+++ /dev/null
@@ -1,109 +0,0 @@
-###
-### AutoPlay apps.
-###
-### This file defines the security policy for apps with the autoplay
-### feature.
-###
-### The autoplay_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to autoplay to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as autoplay at install time.
-type autoplay_app, domain;
-
-# allow JITing
-allow autoplay_app self:process execmem;
-allow autoplay_app ashmem_device:chr_file execute;
-
-# Define and allow access to our own type for ashmem regions.
-# Label ashmem objects with our own unique type.
-tmpfs_domain(autoplay_app)
-# Map with PROT_EXEC.
-allow autoplay_app autoplay_app_tmpfs:file execute;
-
-# Read system properties managed by zygote.
-allow autoplay_app zygote_tmpfs:file read;
-
-# Send logcat messages to logd.
-write_logd(autoplay_app)
-
-# Receive and use open file descriptors inherited from zygote.
-allow autoplay_app zygote:fd use;
-
-# Notify zygote of death;
-allow autoplay_app zygote:process sigchld;
-
-# application inherit logd write socket (urge is to deprecate this long term)
-allow autoplay_app zygote:unix_dgram_socket write;
-
-# App sandbox file accesses.
-allow autoplay_app autoplay_data_file:dir create_dir_perms;
-allow autoplay_app autoplay_data_file:{ file sock_file fifo_file } create_file_perms;
-
-# For art.
-allow autoplay_app dalvikcache_data_file:file { execute r_file_perms };
-allow autoplay_app dalvikcache_data_file:lnk_file r_file_perms;
-allow autoplay_app dalvikcache_data_file:dir getattr;
-
-# Grant GPU access. autoplay_app needs that to render the standard UI.
-allow autoplay_app gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(autoplay_app)
-# Perform binder IPC to binder services.
-binder_call(autoplay_app, surfaceflinger)
-binder_call(autoplay_app, system_server)
-
-# Allow read access to ion memory allocation device
-allow autoplay_app ion_device:chr_file { read open };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow autoplay_app system_server:fifo_file rw_file_perms;
-allow autoplay_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow autoplay_app system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Inherit or receive open files from system_server.
-allow autoplay_app system_server:fd use;
-
-# Communicate with surfaceflinger.
-allow autoplay_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# Read files already opened under /data.
-allow autoplay_app system_data_file:file { getattr read };
-allow autoplay_app system_data_file:lnk_file read;
-
-# System file accesses. Check for libraries
-allow autoplay_app system_file:dir getattr;
-
-# services
-allow autoplay_app accessibility_service:service_manager find;
-allow autoplay_app activity_service:service_manager find;
-allow autoplay_app assetatlas_service:service_manager find;
-allow autoplay_app connectivity_service:service_manager find;
-allow autoplay_app display_service:service_manager find;
-allow autoplay_app graphicsstats_service:service_manager find;
-allow autoplay_app input_method_service:service_manager find;
-allow autoplay_app input_service:service_manager find;
-allow autoplay_app surfaceflinger_service:service_manager find;
-allow autoplay_app textservices_service:service_manager find;
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow autoplay_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow autoplay_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow autoplay_app debugfs:file read;
-
-# execute gpu_device
-neverallow autoplay_app gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow autoplay_app sysfs:file *;
diff --git a/boot_control_hal.te b/boot_control_hal.te
deleted file mode 100644
index 2a670b3..0000000
--- a/boot_control_hal.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow read/write bootctrl block device, if one is defined.
-allow boot_control_hal bootctrl_block_device:blk_file rw_file_perms;
diff --git a/cameraserver.te b/cameraserver.te
deleted file mode 100644
index 4f50f8d..0000000
--- a/cameraserver.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# cameraserver - camera daemon
-type cameraserver, domain;
-type cameraserver_exec, exec_type, file_type;
-
-init_daemon_domain(cameraserver)
-
-binder_use(cameraserver)
-binder_call(cameraserver, binderservicedomain)
-binder_call(cameraserver, appdomain)
-binder_service(cameraserver)
-
-# access /data/misc/camera
-allow cameraserver camera_data_file:dir create_dir_perms;
-allow cameraserver camera_data_file:file create_file_perms;
-
-allow cameraserver video_device:dir r_dir_perms;
-allow cameraserver video_device:chr_file rw_file_perms;
-allow cameraserver ion_device:chr_file rw_file_perms;
-
-allow cameraserver appops_service:service_manager find;
-allow cameraserver audioserver_service:service_manager find;
-allow cameraserver batterystats_service:service_manager find;
-allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver cameraserver_service:service_manager add;
-allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver processinfo_service:service_manager find;
-allow cameraserver scheduling_policy_service:service_manager find;
-allow cameraserver surfaceflinger_service:service_manager find;
-
-###
-### neverallow rules
-###
-
-# cameraserver should never execute any executable without a
-# domain transition
-neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-
-# cameraserver should never need network access. Disallow network sockets.
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/debuggerd.te b/debuggerd.te
deleted file mode 100644
index 3338b8d..0000000
--- a/debuggerd.te
+++ /dev/null
@@ -1,61 +0,0 @@
-# debugger interface
-type debuggerd, domain, domain_deprecated;
-type debuggerd_exec, exec_type, file_type;
-
-init_daemon_domain(debuggerd)
-typeattribute debuggerd mlstrustedsubject;
-allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
-allow debuggerd self:capability2 { syslog };
-allow debuggerd domain:dir r_dir_perms;
-allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:lnk_file read;
-allow debuggerd {
- domain
- -adbd
- -debuggerd
- -healthd
- -init
- -keystore
- -ueventd
- -watchdogd
-}:process { ptrace getattr };
-security_access_policy(debuggerd)
-allow debuggerd tombstone_data_file:dir rw_dir_perms;
-allow debuggerd tombstone_data_file:file create_file_perms;
-allow debuggerd shared_relro_file:dir r_dir_perms;
-allow debuggerd shared_relro_file:file r_file_perms;
-allow debuggerd domain:process { sigstop sigkill signal };
-allow debuggerd exec_type:file r_file_perms;
-# Access app library
-allow debuggerd system_data_file:file open;
-# Allow debuggerd to redirect a dump_backtrace request to itself.
-# This only happens on 64 bit systems, where all requests go to the 64 bit
-# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-
-allow debuggerd {
- audioserver
- bluetooth
- cameraserver
- drmserver
- inputflinger
- mediacodec
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-}:debuggerd dump_backtrace;
-
-# Connect to system_server via /data/system/ndebugsocket.
-unix_socket_connect(debuggerd, system_ndebug, system_server)
-
-userdebug_or_eng(`
- allow debuggerd input_device:dir r_dir_perms;
- allow debuggerd input_device:chr_file rw_file_perms;
-')
-
-# logd access
-read_logd(debuggerd)
-
-# Check SELinux permissions.
-selinux_check_access(debuggerd)
diff --git a/domain.te b/domain.te
deleted file mode 100644
index 06b9dc2..0000000
--- a/domain.te
+++ /dev/null
@@ -1,605 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- getattr
- setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-userdebug_or_eng(`
- # Same as adbd rules above, except allow su to do the same thing
- allow domain su:unix_stream_socket connectto;
- allow domain su:fd use;
- allow domain su:unix_stream_socket { getattr getopt read write shutdown };
-
- allow { domain -init } su:binder { call transfer };
- allow { domain -init } su:fd use;
-
- # Running something like "pm dump com.android.bluetooth" requires
- # fifo writes
- allow domain su:fifo_file { write getattr };
-
- # allow "gdbserver --attach" to work for su.
- allow domain su:process sigchld;
-
- # Allow writing coredumps to /cores/*
- allow domain coredump_file:file create_file_perms;
- allow domain coredump_file:dir ra_dir_perms;
-')
-
-###
-### Talk to debuggerd.
-###
-allow domain debuggerd:process sigchld;
-allow domain debuggerd:unix_stream_socket connectto;
-
-# Root fs.
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
-allow domain binder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain alarm_device:chr_file r_file_perms;
-allow domain urandom_device:chr_file rw_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:dir r_dir_perms;
-allow domain properties_serial:file r_file_perms;
-
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-get_prop(domain, core_property_type)
-# Let everyone read log properties, so that liblog can avoid sending unloggable
-# messages to logd.
-get_prop(domain, log_property_type)
-dontaudit domain property_type:file audit_access;
-allow domain property_contexts:file r_file_perms;
-
-allow domain init:key search;
-allow domain vold:key search;
-
-# logd access
-write_logd(domain)
-
-# System file accesses.
-allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr };
-allow domain system_file:lnk_file read;
-
-# read any sysfs symlinks
-allow domain sysfs:lnk_file read;
-
-# libc references /data/misc/zoneinfo for timezone related information
-r_dir_file(domain, zoneinfo_data_file)
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-r_dir_file(domain, sysfs_usb);
-
-# files under /data.
-allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:lnk_file read;
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# For /acct/uid/*/tasks.
-allow domain cgroup:dir { search write };
-allow domain cgroup:file w_file_perms;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-###
-### neverallow rules
-###
-
-# Do not allow any domain other than init or recovery to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-
-# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
-neverallow {
- domain
- -debuggerd
- -vold
- -dumpstate
- -system_server
- userdebug_or_eng(`-perfprofd')
-} self:capability sys_ptrace;
-
-# Limit device node creation to these whitelisted domains.
-neverallow {
- domain
- -kernel
- -init
- -ueventd
- -vold
-} self:capability mknod;
-
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
-neverallow {
- domain
- userdebug_or_eng(`-domain')
- -kernel
- -init
- -recovery
- -ueventd
- -healthd
- -uncrypt
- -tee
-} self:capability sys_rawio;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:capability2 mac_override;
-
-# Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
-
-# Only init should be able to load SELinux policies.
-# The first load technically occurs while still in the kernel domain,
-# but this does not trigger a denial since there is no policy yet.
-# Policy reload requires allowing this to the init domain.
-neverallow { domain -init } kernel:security load_policy;
-
-# Only init and the system_server can set selinux.reload_policy 1
-# to trigger a policy reload.
-neverallow { domain -init -system_server } security_prop:property_service set;
-
-# Only init and system_server can write to /data/security, where runtime
-# policy updates live.
-# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
-neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
-# Only init and system_server can create/setattr directories with this type.
-# init is for init.rc mkdir /data/security.
-# system_server is for creating subdirectories under /data/security.
-neverallow { domain -init -system_server } security_file:dir { create setattr };
-# Only system_server can create subdirectories and files under /data/security.
-neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
-neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
-neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only init, ueventd and system_server should be able to access HW RNG
-neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type or postinstall_file.
-neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
-
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append write };
-
-# No domain should be allowed to ptrace init.
-neverallow * init:process ptrace;
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-# init is exempt from this as there are character devices that only it uses.
-# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
-
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
-#
-# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
-#
-neverallow {
- domain
- -appdomain
- -autoplay_app
- -dumpstate
- -shell
- userdebug_or_eng(`-su')
- -system_server
- -zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
-neverallow {
- domain
- -appdomain # for oemfs
- -recovery # for /tmp/update_binary in tmpfs
-} { fs_type -rootfs }:file execute;
-# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
-
-# Only the init property service should write to /data/property and /dev/__properties__
-neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-
-# Only recovery should be doing writes to /system
-neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
- { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } system_file:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow { domain -recovery } contextmount_type:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Do not allow service_manager add for default_android_service.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in service.te and new mappings
-# from service name to service_type are defined in service_contexts.
-neverallow * default_android_service:service_manager add;
-
-# Require that domains explicitly label unknown properties, and do not allow
-# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
-neverallow { domain -init } mmc_prop:property_service set;
-
-neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
-
-# No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
-
-# No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
-
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -init
- -uncrypt
- -update_engine
- -vold
- -recovery
- -ueventd
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
-# Only servicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager } *:binder set_context_mgr;
-
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- -init
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -zygote
- -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
-# Only system_server should be able to send commands via the zygote socket
-neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } zygote_socket:sock_file write;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only dumpstate, shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
- file_type
- -system_data_file
- -apk_data_file
- -app_data_file
- -asec_public_file
-}:file execmod;
-
-# Do not allow making the stack or heap executable.
-# We would also like to minimize execmem but it seems to be
-# required by some device-specific service domains.
-neverallow * self:process { execstack execheap };
-
-# prohibit non-zygote spawned processes from using shared libraries
-# with text relocations. b/20013628 .
-neverallow { domain -appdomain } file_type:file execmod;
-
-neverallow { domain -init } proc:{ file dir } mounton;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
- domain
- -system_server
- -system_app
- -init
- -installd # for relabelfrom and unlink, check for this in explicit neverallow
-} system_data_file:file no_w_file_perms;
-# do not grant anything greater than r_file_perms and relabelfrom unlink
-# to installd
-neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
- domain
- -adbd
- -init
- -runas
- -zygote
-} shell:process { transition dyntransition };
-
-# Only domains spawned from zygote and runas may have the appdomain attribute.
-neverallow { domain -runas -zygote } {
- appdomain -shell userdebug_or_eng(`-su') -bluetooth
-}:process { transition dyntransition };
-
-# Minimize read access to shell- or app-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
- domain
- -appdomain
- -installd
- -uncrypt # TODO: see if we can remove
-} app_data_file:lnk_file read;
-
-neverallow {
- domain
- -shell
- userdebug_or_eng(`-uncrypt')
- -installd
-} shell_data_file:lnk_file read;
-
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
-# not be trusting any content in those directories.
-neverallow {
- domain
- -adbd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -init
- -installd
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -installd
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
-# servicemanager is the only process which handles list request
-neverallow * ~servicemanager:service_manager list;
-
-# only service_manager_types can be added to service_manager
-neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -recovery
- -sdcardd
- -vold
-} fuse_device:chr_file open;
-neverallow {
- domain
- -dumpstate
- -init
- -priv_app
- -recovery
- -sdcardd
- -system_server
- -ueventd
- -vold
-} fuse_device:chr_file *;
-
-# Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
-neverallow {
- domain
- -installd
- -profman
-} profman_exec:file no_x_file_perms;
-
-# Enforce restrictions on kernel module origin.
-# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file rootfs }:system module_load;
diff --git a/domain_deprecated.te b/domain_deprecated.te
deleted file mode 100644
index 00fb516..0000000
--- a/domain_deprecated.te
+++ /dev/null
@@ -1,74 +0,0 @@
-# rules removed from the domain attribute
-
-# Read access to properties mapping.
-allow domain_deprecated kernel:fd use;
-allow domain_deprecated tmpfs:file { read getattr };
-allow domain_deprecated tmpfs:lnk_file { read getattr };
-
-# Search /storage/emulated tmpfs mount.
-allow domain_deprecated tmpfs:dir r_dir_perms;
-
-# Inherit or receive open files from others.
-allow domain_deprecated system_server:fd use;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow domain_deprecated adbd:unix_stream_socket connectto;
-allow domain_deprecated adbd:fd use;
-allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# Root fs.
-allow domain_deprecated rootfs:dir r_dir_perms;
-allow domain_deprecated rootfs:file r_file_perms;
-allow domain_deprecated rootfs:lnk_file r_file_perms;
-
-# Device accesses.
-allow domain_deprecated device:file read;
-
-# System file accesses.
-allow domain_deprecated system_file:dir r_dir_perms;
-allow domain_deprecated system_file:file r_file_perms;
-allow domain_deprecated system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data.
-allow domain_deprecated system_data_file:dir { search getattr };
-allow domain_deprecated system_data_file:file { getattr read };
-allow domain_deprecated system_data_file:lnk_file r_file_perms;
-
-# Read apk files under /data/app.
-allow domain_deprecated apk_data_file:dir { getattr search };
-allow domain_deprecated apk_data_file:file r_file_perms;
-allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow domain_deprecated dalvikcache_data_file:dir { search getattr };
-allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-
-# Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
-
-#Allow access to ion memory allocation device
-allow domain_deprecated ion_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
-r_dir_file({ domain_deprecated -isolated_app }, sysfs)
-r_dir_file(domain_deprecated, inotify)
-r_dir_file(domain_deprecated, cgroup)
-allow domain_deprecated proc_meminfo:file r_file_perms;
-r_dir_file(domain_deprecated, proc_net)
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-
-# /data/security files
-allow domain_deprecated security_file:dir { search getattr };
-allow domain_deprecated security_file:file getattr;
-allow domain_deprecated security_file:lnk_file r_file_perms;
-
-# World readable asec image contents
-allow domain_deprecated asec_public_file:file r_file_perms;
-allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
diff --git a/file.te b/file.te
deleted file mode 100644
index 87cec82..0000000
--- a/file.te
+++ /dev/null
@@ -1,262 +0,0 @@
-# Filesystem types
-type labeledfs, fs_type;
-type pipefs, fs_type;
-type sockfs, fs_type;
-type rootfs, fs_type;
-type proc, fs_type;
-# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type;
-# Type for /proc/sys/vm/drop_caches
-type proc_drop_caches, fs_type;
-# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, sysfs_type;
-type qtaguid_proc, fs_type, mlstrustedobject;
-type proc_bluetooth_writable, fs_type;
-type proc_cpuinfo, fs_type;
-type proc_iomem, fs_type;
-type proc_meminfo, fs_type;
-type proc_net, fs_type;
-type proc_sysrq, fs_type;
-type proc_uid_cputime_showstat, fs_type;
-type proc_uid_cputime_removeuid, fs_type;
-type selinuxfs, fs_type, mlstrustedobject;
-type cgroup, fs_type, mlstrustedobject;
-type sysfs, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_uio, sysfs_type, fs_type;
-type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_mac_address, fs_type, sysfs_type;
-type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
-type configfs, fs_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-# /sys/module/lowmemorykiller
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-
-type sysfs_thermal, sysfs_type, fs_type;
-
-type sysfs_zram, fs_type, sysfs_type;
-type sysfs_zram_uevent, fs_type, sysfs_type;
-type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type, mlstrustedobject;
-type tmpfs, fs_type;
-type shm, fs_type;
-type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
-type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
-type vfat, sdcard_type, fs_type, mlstrustedobject;
-type debugfs, fs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type pstorefs, fs_type;
-type functionfs, fs_type;
-type oemfs, fs_type, contextmount_type;
-type usbfs, fs_type;
-type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
-
-# File types
-type unlabeled, file_type;
-# Default type for anything under /system.
-type system_file, file_type;
-# Type for /system/bin/logcat.
-type logcat_exec, exec_type, file_type;
-# /cores for coredumps on userdebug / eng builds
-type coredump_file, file_type;
-# Default type for anything under /data.
-type system_data_file, file_type, data_file_type;
-# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type;
-# /data/.layout_version or other installd-created files that
-# are created in a system_data_file directory.
-type install_data_file, file_type, data_file_type;
-# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type;
-# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type;
-# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, mlstrustedobject;
-# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type;
-# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type;
-type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
-# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
-# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type;
-# /data/ota
-type ota_data_file, file_type, data_file_type;
-# /data/ota_package
-type ota_package_file, file_type, data_file_type, mlstrustedobject;
-# /data/misc/profiles
-type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
-type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
-# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type;
-# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type;
-# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, mlstrustedobject;
-# /data/gps
-type gps_data_file, file_type, data_file_type;
-# /data/property
-type property_data_file, file_type, data_file_type;
-# /data/bootchart
-type bootchart_data_file, file_type, data_file_type;
-# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
-# /data/nativetest
-type nativetest_data_file, file_type, data_file_type;
-# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, mlstrustedobject;
-# /data/preloads
-type preloads_data_file, file_type, data_file_type;
-
-# Mount locations managed by vold
-type mnt_media_rw_file, file_type;
-type mnt_user_file, file_type;
-type mnt_expand_file, file_type;
-type storage_file, file_type;
-
-# Label for storage dirs which are just mount stubs
-type mnt_media_rw_stub_file, file_type;
-type storage_stub_file, file_type;
-
-# /postinstall: Mount point used by update_engine to run postinstall.
-type postinstall_mnt_dir, file_type;
-# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
-
-# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type;
-type audio_data_file, file_type, data_file_type;
-type audioserver_data_file, file_type, data_file_type;
-type bluetooth_data_file, file_type, data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type;
-type bootstat_data_file, file_type, data_file_type;
-type boottrace_data_file, file_type, data_file_type;
-type camera_data_file, file_type, data_file_type;
-type gatekeeper_data_file, file_type, data_file_type;
-type keychain_data_file, file_type, data_file_type;
-type keystore_data_file, file_type, data_file_type;
-type media_data_file, file_type, data_file_type;
-type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type;
-type net_data_file, file_type, data_file_type;
-type nfc_data_file, file_type, data_file_type;
-type radio_data_file, file_type, data_file_type, mlstrustedobject;
-type recovery_data_file, file_type, data_file_type;
-type shared_relro_file, file_type, data_file_type;
-type systemkeys_data_file, file_type, data_file_type;
-type vpn_data_file, file_type, data_file_type;
-type wifi_data_file, file_type, data_file_type;
-type zoneinfo_data_file, file_type, data_file_type;
-type vold_data_file, file_type, data_file_type;
-type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
-# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
-
-# Compatibility with type names used in vanilla Android 4.3 and 4.4.
-typealias audio_data_file alias audio_firmware_file;
-# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type;
-type autoplay_data_file, file_type, data_file_type;
-# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, mlstrustedobject;
-# Compatibility with type name used in Android 4.3 and 4.4.
-typealias app_data_file alias platform_app_data_file;
-typealias app_data_file alias download_file;
-# Default type for anything under /cache
-type cache_file, file_type, mlstrustedobject;
-# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, mlstrustedobject;
-# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type;
-# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, mlstrustedobject;
-# Default type for anything under /efs
-type efs_file, file_type;
-# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, mlstrustedobject;
-# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject;
-# Type for user icon file.
-type icon_file, file_type, data_file_type;
-# /mnt/asec
-type asec_apk_file, file_type, data_file_type, mlstrustedobject;
-# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type;
-# /data/app-asec
-type asec_image_file, file_type, data_file_type;
-# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, mlstrustedobject;
-# For /data/security
-type security_file, file_type;
-# All devices have bluetooth efs files. But they
-# vary per device, so this type is used in per
-# device policy
-type bluetooth_efs_file, file_type;
-# Type for fingerprint template file.
-type fingerprintd_data_file, file_type, data_file_type;
-# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, mlstrustedobject;
-
-# Socket types
-type adbd_socket, file_type;
-type bluetooth_socket, file_type;
-type dnsproxyd_socket, file_type, mlstrustedobject;
-type dumpstate_socket, file_type;
-type fwmarkd_socket, file_type, mlstrustedobject;
-type gps_socket, file_type;
-type installd_socket, file_type;
-type lmkd_socket, file_type;
-type logd_socket, file_type, mlstrustedobject;
-type logdr_socket, file_type, mlstrustedobject;
-type logdw_socket, file_type, mlstrustedobject;
-type mdns_socket, file_type;
-type mdnsd_socket, file_type, mlstrustedobject;
-type misc_logd_file, file_type;
-type mtpd_socket, file_type;
-type netd_socket, file_type;
-type property_socket, file_type;
-type racoon_socket, file_type;
-type rild_socket, file_type;
-type rild_debug_socket, file_type;
-type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type;
-type uncrypt_socket, file_type;
-type vold_socket, file_type;
-type wpa_socket, file_type;
-type zygote_socket, file_type;
-type sap_uim_socket, file_type;
-# UART (for GPS) control proc file
-type gps_control, file_type;
-
-# property_contexts file
-type property_contexts, file_type;
-
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow app_fuse_file app_fusefs:filesystem associate;
-allow postinstall_file self:filesystem associate;
-
-# It's a bug to assign the file_type attribute and fs_type attribute
-# to any type. Do not allow it.
-#
-# For example, the following is a bug:
-# type apk_data_file, file_type, data_file_type, fs_type;
-# Should be:
-# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem associate;
diff --git a/file_contexts b/file_contexts
deleted file mode 100644
index 085a57b..0000000
--- a/file_contexts
+++ /dev/null
@@ -1,404 +0,0 @@
-###########################################
-# Root
-/ u:object_r:rootfs:s0
-
-# Data files
-/adb_keys u:object_r:adb_keys_file:s0
-/build\.prop u:object_r:rootfs:s0
-/default\.prop u:object_r:rootfs:s0
-/fstab\..* u:object_r:rootfs:s0
-/init\..* u:object_r:rootfs:s0
-/res(/.*)? u:object_r:rootfs:s0
-/selinux_version u:object_r:rootfs:s0
-/ueventd\..* u:object_r:rootfs:s0
-/verity_key u:object_r:rootfs:s0
-
-# Executables
-/charger u:object_r:rootfs:s0
-/init u:object_r:init_exec:s0
-/sbin(/.*)? u:object_r:rootfs:s0
-
-# Empty directories
-/lost\+found u:object_r:rootfs:s0
-/acct u:object_r:cgroup:s0
-/config u:object_r:rootfs:s0
-/mnt u:object_r:tmpfs:s0
-/postinstall u:object_r:postinstall_mnt_dir:s0
-/proc u:object_r:rootfs:s0
-/root u:object_r:rootfs:s0
-/sys u:object_r:sysfs:s0
-
-# Symlinks
-/bugreports u:object_r:rootfs:s0
-/d u:object_r:rootfs:s0
-/etc u:object_r:rootfs:s0
-/sdcard u:object_r:rootfs:s0
-
-# SELinux policy files
-/file_contexts\.bin u:object_r:rootfs:s0
-/property_contexts u:object_r:property_contexts:s0
-/seapp_contexts u:object_r:rootfs:s0
-/sepolicy u:object_r:rootfs:s0
-/service_contexts u:object_r:rootfs:s0
-
-##########################
-# Devices
-#
-/dev(/.*)? u:object_r:device:s0
-/dev/akm8973.* u:object_r:sensors_device:s0
-/dev/accelerometer u:object_r:sensors_device:s0
-/dev/adf[0-9]* u:object_r:graphics_device:s0
-/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/alarm u:object_r:alarm_device:s0
-/dev/android_adb.* u:object_r:adb_device:s0
-/dev/ashmem u:object_r:ashmem_device:s0
-/dev/audio.* u:object_r:audio_device:s0
-/dev/binder u:object_r:binder_device:s0
-/dev/block(/.*)? u:object_r:block_device:s0
-/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
-/dev/block/loop[0-9]* u:object_r:loop_device:s0
-/dev/block/vold/.+ u:object_r:vold_device:s0
-/dev/block/ram[0-9]* u:object_r:ram_device:s0
-/dev/block/zram[0-9]* u:object_r:ram_device:s0
-/dev/bus/usb(.*)? u:object_r:usb_device:s0
-/dev/cam u:object_r:video_device:s0
-/dev/console u:object_r:console_device:s0
-/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
-/dev/device-mapper u:object_r:dm_device:s0
-/dev/eac u:object_r:audio_device:s0
-/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
-/dev/full u:object_r:full_device:s0
-/dev/fuse u:object_r:fuse_device:s0
-/dev/graphics(/.*)? u:object_r:graphics_device:s0
-/dev/hw_random u:object_r:hw_random_device:s0
-/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
-/dev/input(/.*) u:object_r:input_device:s0
-/dev/iio:device[0-9]+ u:object_r:iio_device:s0
-/dev/ion u:object_r:ion_device:s0
-/dev/kmem u:object_r:kmem_device:s0
-/dev/log(/.*)? u:object_r:log_device:s0
-/dev/mem u:object_r:kmem_device:s0
-/dev/modem.* u:object_r:radio_device:s0
-/dev/mpu u:object_r:gps_device:s0
-/dev/mpuirq u:object_r:gps_device:s0
-/dev/mtd(/.*)? u:object_r:mtd_device:s0
-/dev/mtp_usb u:object_r:mtp_device:s0
-/dev/pmsg0 u:object_r:pmsg_device:s0
-/dev/pn544 u:object_r:nfc_device:s0
-/dev/ppp u:object_r:ppp_device:s0
-/dev/ptmx u:object_r:ptmx_device:s0
-/dev/pvrsrvkm u:object_r:gpu_device:s0
-/dev/kmsg u:object_r:kmsg_device:s0
-/dev/null u:object_r:null_device:s0
-/dev/nvhdcp1 u:object_r:video_device:s0
-/dev/random u:object_r:random_device:s0
-/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
-/dev/rproc_user u:object_r:rpmsg_device:s0
-/dev/rtc[0-9] u:object_r:rtc_device:s0
-/dev/snd(/.*)? u:object_r:audio_device:s0
-/dev/socket(/.*)? u:object_r:socket_device:s0
-/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0
-/dev/socket/cryptd u:object_r:vold_socket:s0
-/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
-/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
-/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
-/dev/socket/gps u:object_r:gps_socket:s0
-/dev/socket/installd u:object_r:installd_socket:s0
-/dev/socket/lmkd u:object_r:lmkd_socket:s0
-/dev/socket/logd u:object_r:logd_socket:s0
-/dev/socket/logdr u:object_r:logdr_socket:s0
-/dev/socket/logdw u:object_r:logdw_socket:s0
-/dev/socket/mdns u:object_r:mdns_socket:s0
-/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
-/dev/socket/mtpd u:object_r:mtpd_socket:s0
-/dev/socket/netd u:object_r:netd_socket:s0
-/dev/socket/property_service u:object_r:property_socket:s0
-/dev/socket/racoon u:object_r:racoon_socket:s0
-/dev/socket/rild u:object_r:rild_socket:s0
-/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
-/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
-/dev/socket/vold u:object_r:vold_socket:s0
-/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
-/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
-/dev/socket/zygote u:object_r:zygote_socket:s0
-/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
-/dev/spdif_out.* u:object_r:audio_device:s0
-/dev/tegra.* u:object_r:video_device:s0
-/dev/tf_driver u:object_r:tee_device:s0
-/dev/tty u:object_r:owntty_device:s0
-/dev/tty[0-9]* u:object_r:tty_device:s0
-/dev/ttyS[0-9]* u:object_r:serial_device:s0
-/dev/tun u:object_r:tun_device:s0
-/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:uhid_device:s0
-/dev/uio[0-9]* u:object_r:uio_device:s0
-/dev/urandom u:object_r:urandom_device:s0
-/dev/usb_accessory u:object_r:usbaccessory_device:s0
-/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
-/dev/video[0-9]* u:object_r:video_device:s0
-/dev/watchdog u:object_r:watchdog_device:s0
-/dev/xt_qtaguid u:object_r:qtaguid_device:s0
-/dev/zero u:object_r:zero_device:s0
-/dev/__kmsg__ u:object_r:klog_device:s0
-/dev/__properties__ u:object_r:properties_device:s0
-#############################
-# System files
-#
-/system(/.*)? u:object_r:system_file:s0
-/system/bin/atrace u:object_r:atrace_exec:s0
-/system/bin/e2fsck -- u:object_r:fsck_exec:s0
-/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
-/system/bin/toolbox -- u:object_r:toolbox_exec:s0
-/system/bin/toybox -- u:object_r:toolbox_exec:s0
-/system/bin/logcat -- u:object_r:logcat_exec:s0
-/system/bin/sh -- u:object_r:shell_exec:s0
-/system/bin/run-as -- u:object_r:runas_exec:s0
-/system/bin/bootanimation u:object_r:bootanim_exec:s0
-/system/bin/bootstat u:object_r:bootstat_exec:s0
-/system/bin/app_process32 u:object_r:zygote_exec:s0
-/system/bin/app_process64 u:object_r:zygote_exec:s0
-/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
-/system/bin/drmserver u:object_r:drmserver_exec:s0
-/system/bin/dumpstate u:object_r:dumpstate_exec:s0
-/system/bin/vold u:object_r:vold_exec:s0
-/system/bin/netd u:object_r:netd_exec:s0
-/system/bin/rild u:object_r:rild_exec:s0
-/system/bin/audioserver u:object_r:audioserver_exec:s0
-/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
-/system/bin/mediaserver u:object_r:mediaserver_exec:s0
-/system/bin/cameraserver u:object_r:cameraserver_exec:s0
-/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
-/system/bin/mediacodec u:object_r:mediacodec_exec:s0
-/system/bin/mdnsd u:object_r:mdnsd_exec:s0
-/system/bin/installd u:object_r:installd_exec:s0
-/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
-/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
-/system/bin/keystore u:object_r:keystore_exec:s0
-/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
-/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
-/system/bin/debuggerd u:object_r:debuggerd_exec:s0
-/system/bin/debuggerd64 u:object_r:debuggerd_exec:s0
-/system/bin/wpa_supplicant u:object_r:wpa_exec:s0
-/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
-/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
-/system/bin/sdcard u:object_r:sdcardd_exec:s0
-/system/bin/dhcpcd u:object_r:dhcp_exec:s0
-/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
-/system/bin/mtpd u:object_r:mtp_exec:s0
-/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/tf_daemon u:object_r:tee_exec:s0
-/system/bin/racoon u:object_r:racoon_exec:s0
-/system/xbin/su u:object_r:su_exec:s0
-/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
-/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
-/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/hostapd u:object_r:hostapd_exec:s0
-/system/bin/clatd u:object_r:clatd_exec:s0
-/system/bin/lmkd u:object_r:lmkd_exec:s0
-/system/bin/inputflinger u:object_r:inputflinger_exec:s0
-/system/bin/logd u:object_r:logd_exec:s0
-/system/bin/uncrypt u:object_r:uncrypt_exec:s0
-/system/bin/update_verifier u:object_r:update_verifier_exec:s0
-/system/bin/logwrapper u:object_r:system_file:s0
-/system/bin/vdc u:object_r:vdc_exec:s0
-/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
-/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
-/system/bin/dex2oat u:object_r:dex2oat_exec:s0
-# patchoat executable has (essentially) the same requirements as dex2oat.
-/system/bin/patchoat u:object_r:dex2oat_exec:s0
-/system/bin/profman u:object_r:profman_exec:s0
-/system/bin/sgdisk u:object_r:sgdisk_exec:s0
-/system/bin/blkid u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
-/system/bin/idmap u:object_r:idmap_exec:s0
-/system/bin/update_engine u:object_r:update_engine_exec:s0
-/system/bin/bspatch u:object_r:update_engine_exec:s0
-
-#############################
-# Vendor files
-#
-/vendor(/.*)? u:object_r:system_file:s0
-/vendor/bin/gpsd u:object_r:gpsd_exec:s0
-
-#############################
-# OEM and ODM files
-#
-/odm(/.*)? u:object_r:system_file:s0
-/oem(/.*)? u:object_r:oemfs:s0
-
-
-#############################
-# Data files
-#
-# NOTE: When modifying existing label rules, changes may also need to
-# propagate to the "Expanded data files" section.
-#
-/data(/.*)? u:object_r:system_data_file:s0
-/data/.layout_version u:object_r:install_data_file:s0
-/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
-/data/backup(/.*)? u:object_r:backup_data_file:s0
-/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
-/data/security(/.*)? u:object_r:security_file:s0
-/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
-/data/drm(/.*)? u:object_r:drm_data_file:s0
-/data/gps(/.*)? u:object_r:gps_data_file:s0
-/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
-/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/ota(/.*)? u:object_r:ota_data_file:s0
-/data/ota_package(/.*)? u:object_r:ota_package_file:s0
-/data/adb(/.*)? u:object_r:adb_data_file:s0
-/data/anr(/.*)? u:object_r:anr_data_file:s0
-/data/app(/.*)? u:object_r:apk_data_file:s0
-/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
-/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
-/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
-/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/data/media(/.*)? u:object_r:media_rw_data_file:s0
-/data/mediadrm(/.*)? u:object_r:media_data_file:s0
-/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
-/data/property(/.*)? u:object_r:property_data_file:s0
-/data/preloads(/.*)? u:object_r:preloads_data_file:s0
-
-# Misc data
-/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
-/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
-/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
-/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
-/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
-/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
-/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
-/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
-/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
-/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
-/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
-/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
-/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
-/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
-/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
-/data/misc/media(/.*)? u:object_r:media_data_file:s0
-/data/misc/net(/.*)? u:object_r:net_data_file:s0
-/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
-/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
-/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
-/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
-/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
-/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
-/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
-/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
-/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
-/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
-/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
-/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
-/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
-/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
-/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
-# TODO(calin) label profile reference differently so that only
-# profman run as a special user can write to them
-/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
-/data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
-/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
-/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
-
-# Fingerprint data
-/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
-
-# Bootchart data
-/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
-
-#############################
-# Expanded data files
-#
-/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
-/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
-/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
-/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
-/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
-
-# coredump directory for userdebug/eng devices
-/cores(/.*)? u:object_r:coredump_file:s0
-
-# Wallpaper files
-/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
-
-# Ringtone files
-/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
-
-# ShortcutManager icons, e.g.
-# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
-/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
-
-# User icon files
-/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
-
-#############################
-# efs files
-#
-/efs(/.*)? u:object_r:efs_file:s0
-
-#############################
-# Cache files
-#
-/cache(/.*)? u:object_r:cache_file:s0
-/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
-# General backup/restore interchange with apps
-/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this subtree
-/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-
-/data/cache(/.*)? u:object_r:cache_file:s0
-/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
-# General backup/restore interchange with apps
-/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this subtree
-/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-
-#############################
-# sysfs files
-#
-/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
-/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
-/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
-/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
-/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
-/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
-/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
-/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
-/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
-
-#############################
-# debugfs files
-#
-/sys/kernel/debug/tracing(/.*)? u:object_r:debugfs_tracing:s0
-/sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-
-#############################
-# asec containers
-/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
-/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
-/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
-/data/app-asec(/.*)? u:object_r:asec_image_file:s0
-
-#############################
-# external storage
-/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
-/mnt/user(/.*)? u:object_r:mnt_user_file:s0
-/mnt/runtime(/.*)? u:object_r:storage_file:s0
-/storage(/.*)? u:object_r:storage_file:s0
diff --git a/file_contexts_asan b/file_contexts_asan
deleted file mode 100644
index 5813d32..0000000
--- a/file_contexts_asan
+++ /dev/null
@@ -1,4 +0,0 @@
-/data/lib(/.*)? u:object_r:system_file:s0
-/data/lib64(/.*)? u:object_r:system_file:s0
-/data/vendor/lib(/.*)? u:object_r:system_file:s0
-/data/vendor/lib64(/.*)? u:object_r:system_file:s0
diff --git a/gatekeeperd.te b/gatekeeperd.te
deleted file mode 100644
index e394af3..0000000
--- a/gatekeeperd.te
+++ /dev/null
@@ -1,30 +0,0 @@
-type gatekeeperd, domain, domain_deprecated;
-type gatekeeperd_exec, exec_type, file_type;
-
-# gatekeeperd
-init_daemon_domain(gatekeeperd)
-binder_service(gatekeeperd)
-binder_use(gatekeeperd)
-allow gatekeeperd tee_device:chr_file rw_file_perms;
-
-# need to find KeyStore and add self
-allow gatekeeperd gatekeeper_service:service_manager { add find };
-
-# Need to add auth tokens to KeyStore
-use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
-
-# For permissions checking
-allow gatekeeperd system_server:binder call;
-allow gatekeeperd permission_service:service_manager find;
-# For parent user ID lookup
-allow gatekeeperd user_service:service_manager find;
-
-# for SID file access
-allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
-allow gatekeeperd gatekeeper_data_file:file create_file_perms;
-
-# For hardware properties retrieval
-allow gatekeeperd hardware_properties_service:service_manager find;
-
-neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/gpsd.te b/gpsd.te
deleted file mode 100644
index cd20295..0000000
--- a/gpsd.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# gpsd - GPS daemon
-type gpsd, domain;
-type gpsd_exec, exec_type, file_type;
-
-init_daemon_domain(gpsd)
-net_domain(gpsd)
-allow gpsd gps_data_file:dir rw_dir_perms;
-allow gpsd gps_data_file:notdevfile_class_set create_file_perms;
-# Socket is created by the daemon, not by init, and under /data/gps,
-# not under /dev/socket.
-type_transition gpsd gps_data_file:sock_file gps_socket;
-allow gpsd gps_socket:sock_file create_file_perms;
-# XXX Label sysfs files with a specific type?
-allow gpsd sysfs:file rw_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow gpsd sysfs_usb:file w_file_perms;
-
-allow gpsd gps_device:chr_file rw_file_perms;
-
-# Execute the shell or system commands.
-allow gpsd shell_exec:file rx_file_perms;
-allow gpsd system_file:file rx_file_perms;
-allow gpsd toolbox_exec:file rx_file_perms;
-
-###
-### neverallow
-###
-
-# gpsd can never have capabilities other than block_suspend
-neverallow gpsd self:capability *;
-neverallow gpsd self:capability2 ~block_suspend;
diff --git a/hci_attach.te b/hci_attach.te
deleted file mode 100644
index 543cae1..0000000
--- a/hci_attach.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type hci_attach, domain, domain_deprecated;
-type hci_attach_exec, exec_type, file_type;
-
-init_daemon_domain(hci_attach)
-
-allow hci_attach kernel:system module_request;
-allow hci_attach hci_attach_dev:chr_file rw_file_perms;
-allow hci_attach bluetooth_efs_file:dir r_dir_perms;
-allow hci_attach bluetooth_efs_file:file r_file_perms;
diff --git a/hostapd.te b/hostapd.te
deleted file mode 100644
index 204a0d9..0000000
--- a/hostapd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# userspace wifi access points
-type hostapd, domain, domain_deprecated;
-type hostapd_exec, exec_type, file_type;
-
-net_domain(hostapd)
-
-allow hostapd self:capability { net_admin net_raw setuid setgid };
-allow hostapd self:netlink_socket create_socket_perms;
-allow hostapd self:netlink_generic_socket create_socket_perms;
-allow hostapd self:packet_socket create_socket_perms;
-allow hostapd self:netlink_route_socket nlmsg_write;
-
-allow hostapd wifi_data_file:file rw_file_perms;
-allow hostapd wifi_data_file:dir create_dir_perms;
-type_transition hostapd wifi_data_file:dir wpa_socket "sockets";
-type_transition hostapd wifi_data_file:dir wpa_socket "hostapd";
-allow hostapd wpa_socket:dir create_dir_perms;
-allow hostapd wpa_socket:sock_file create_file_perms;
-allow hostapd netd:fd use;
-allow hostapd netd:udp_socket { read write };
-allow hostapd netd:fifo_file { read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow hostapd netd:netlink_kobject_uevent_socket { read write };
-allow hostapd netd:netlink_nflog_socket { read write };
-allow hostapd netd:netlink_route_socket { read write };
-allow hostapd netd:unix_stream_socket { read write };
-allow hostapd netd:unix_dgram_socket { read write };
diff --git a/isolated_app.te b/isolated_app.te
deleted file mode 100644
index 978982a..0000000
--- a/isolated_app.te
+++ /dev/null
@@ -1,78 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-### isolated_app includes all the appdomain rules, plus the
-### additional following rules:
-###
-
-type isolated_app, domain, domain_deprecated;
-app_domain(isolated_app)
-
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { read write getattr lock };
-
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-allow isolated_app webviewupdate_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
-#####
-##### Neverallow
-#####
-
-# Do not allow isolated_app to directly open tun_device
-neverallow isolated_app tun_device:chr_file open;
-
-# Do not allow isolated_app to set system properties.
-neverallow isolated_app property_socket:sock_file write;
-neverallow isolated_app property_type:property_service set;
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# b/17487348
-# Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
-neverallow isolated_app {
- service_manager_type
- -activity_service
- -display_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
-
-# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
-# ioctl permission, or 3. disallow the socket class.
-neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
-neverallow isolated_app *:{
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
-} *;
diff --git a/logd.te b/logd.te
deleted file mode 100644
index bc97a37..0000000
--- a/logd.te
+++ /dev/null
@@ -1,68 +0,0 @@
-# android user-space log manager
-type logd, domain, domain_deprecated, mlstrustedsubject;
-type logd_exec, exec_type, file_type;
-
-init_daemon_domain(logd)
-
-# Read access to pseudo filesystems.
-r_dir_file(logd, proc)
-r_dir_file(logd, proc_net)
-
-allow logd self:capability { setuid setgid sys_nice audit_control };
-allow logd self:capability2 syslog;
-allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
-allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file w_file_perms;
-allow logd system_data_file:file r_file_perms;
-# logpersist is only allowed on userdebug and eng builds
-userdebug_or_eng(`
- allow logd misc_logd_file:file create_file_perms;
- allow logd misc_logd_file:dir rw_dir_perms;
-')
-allow logd pstorefs:dir search;
-allow logd pstorefs:file r_file_perms;
-
-# Set persist.sys. and sys.powerctl
-set_prop(logd, safemode_prop)
-set_prop(logd, powerctl_prop)
-
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-userdebug_or_eng(`get_prop(logd, logpersistd_logging_prop)')
-
-r_dir_file(logd, domain)
-
-allow logd kernel:system syslog_mod;
-
-control_logd(logd)
-
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
-userdebug_or_eng(`
- unix_socket_connect(logd, logdr, logd)
-')
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
-
-# logd is not allowed to write anywhere other than /data/misc/logd, and then
-# only on userdebug or eng builds
-neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file { create write append };
-
-# logpersist is only allowed on userdebug/eng builds
-neverallow { domain userdebug_or_eng(`-logd -shell -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain userdebug_or_eng(`-logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
-neverallow { domain -init } misc_logd_file:dir create;
diff --git a/mediacodec.te b/mediacodec.te
deleted file mode 100644
index 3d3625a..0000000
--- a/mediacodec.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# mediacodec - audio and video codecs live here
-type mediacodec, domain;
-type mediacodec_exec, exec_type, file_type;
-
-typeattribute mediacodec mlstrustedsubject;
-
-init_daemon_domain(mediacodec)
-
-binder_use(mediacodec)
-binder_call(mediacodec, binderservicedomain)
-binder_call(mediacodec, appdomain)
-binder_service(mediacodec)
-
-allow mediacodec mediacodec_service:service_manager add;
-allow mediacodec surfaceflinger_service:service_manager find;
-allow mediacodec gpu_device:chr_file rw_file_perms;
-allow mediacodec video_device:chr_file rw_file_perms;
-allow mediacodec video_device:dir search;
-allow mediacodec ion_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-# mediacodec should never execute any executable without a
-# domain transition
-neverallow mediacodec { file_type fs_type }:file execute_no_trans;
-
-# mediacodec should never need network access. Disallow network sockets.
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/mediadrmserver.te b/mediadrmserver.te
deleted file mode 100644
index d9368ad..0000000
--- a/mediadrmserver.te
+++ /dev/null
@@ -1,67 +0,0 @@
-# mediadrmserver - mediadrm daemon
-type mediadrmserver, domain;
-type mediadrmserver_exec, exec_type, file_type;
-
-typeattribute mediadrmserver mlstrustedsubject;
-
-net_domain(mediadrmserver)
-init_daemon_domain(mediadrmserver)
-
-binder_use(mediadrmserver)
-binder_call(mediadrmserver, binderservicedomain)
-binder_call(mediadrmserver, appdomain)
-binder_service(mediadrmserver)
-
-# Required by Widevine DRM (b/22990512)
-allow mediadrmserver self:process execmem;
-
-# System file accesses.
-allow mediadrmserver system_file:dir r_dir_perms;
-allow mediadrmserver system_file:file r_file_perms;
-allow mediadrmserver system_file:lnk_file r_file_perms;
-
-# Read files already opened under /data.
-allow mediadrmserver system_data_file:dir { search getattr };
-allow mediadrmserver system_data_file:file { getattr read };
-allow mediadrmserver system_data_file:lnk_file r_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(mediadrmserver, cgroup)
-allow mediadrmserver cgroup:dir { search write };
-allow mediadrmserver cgroup:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow mediadrmserver ion_device:chr_file rw_file_perms;
-
-# Allow access to app_data and media_data_files
-allow mediadrmserver media_data_file:dir create_dir_perms;
-allow mediadrmserver media_data_file:file create_file_perms;
-allow mediadrmserver media_data_file:file { getattr read };
-
-allow mediadrmserver tee_device:chr_file rw_file_perms;
-
-# XXX Label with a specific type?
-allow mediadrmserver sysfs:file r_file_perms;
-
-# Connect to tee service.
-allow mediadrmserver tee:unix_stream_socket connectto;
-
-allow mediadrmserver mediadrmserver_service:service_manager { add find };
-allow mediadrmserver mediaserver_service:service_manager { add find };
-allow mediadrmserver processinfo_service:service_manager find;
-allow mediadrmserver surfaceflinger_service:service_manager find;
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/mediaextractor.te b/mediaextractor.te
deleted file mode 100644
index 3ebb5b7..0000000
--- a/mediaextractor.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# mediaextractor - multimedia daemon
-type mediaextractor, domain, domain_deprecated;
-type mediaextractor_exec, exec_type, file_type;
-
-typeattribute mediaextractor mlstrustedsubject;
-
-init_daemon_domain(mediaextractor)
-
-binder_use(mediaextractor)
-binder_call(mediaextractor, binderservicedomain)
-binder_call(mediaextractor, appdomain)
-binder_service(mediaextractor)
-
-allow mediaextractor mediaextractor_service:service_manager add;
-
-###
-### neverallow rules
-###
-
-# mediaextractor should never execute any executable without a
-# domain transition
-neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-
-# mediaextractor should never need network access. Disallow network sockets.
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/netd.te b/netd.te
deleted file mode 100644
index 6302073..0000000
--- a/netd.te
+++ /dev/null
@@ -1,100 +0,0 @@
-# network manager
-type netd, domain, domain_deprecated, mlstrustedsubject;
-type netd_exec, exec_type, file_type;
-
-init_daemon_domain(netd)
-net_domain(netd)
-
-allow netd self:capability { net_admin net_raw kill };
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for netd to operate.
-dontaudit netd self:capability fsetid;
-
-allow netd self:netlink_kobject_uevent_socket create_socket_perms;
-allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms;
-allow netd self:netlink_socket create_socket_perms;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms;
-allow netd self:netlink_netfilter_socket create_socket_perms;
-allow netd shell_exec:file rx_file_perms;
-allow netd system_file:file x_file_perms;
-allow netd devpts:chr_file rw_file_perms;
-
-# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file write;
-
-# For /sys/modules/bcmdhd/parameters/firmware_path
-# XXX Split into its own type.
-allow netd sysfs:file write;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow netd sysfs_usb:file write;
-
-# Needed to update /data/misc/wifi/hostapd.conf
-# TODO: See what we can do to reduce the need for
-# these capabilities
-allow netd self:capability { dac_override chown fowner };
-allow netd wifi_data_file:file create_file_perms;
-allow netd wifi_data_file:dir rw_dir_perms;
-
-# Needed to update /data/misc/net/rt_tables
-allow netd net_data_file:file create_file_perms;
-allow netd net_data_file:dir rw_dir_perms;
-
-# Allow netd to spawn hostapd in it's own domain
-domain_auto_trans(netd, hostapd_exec, hostapd)
-allow netd hostapd:process signal;
-
-# Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-allow netd dnsmasq:process signal;
-
-# Allow netd to start clatd in its own domain
-domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
-
-set_prop(netd, ctl_mdnsd_prop)
-
-# Allow netd to publish a binder service and make binder calls.
-binder_use(netd)
-allow netd netd_service:service_manager add;
-allow netd dumpstate:fifo_file { getattr write };
-
-# Allow netd to call into the system server so it can check permissions.
-allow netd system_server:binder call;
-allow netd permission_service:service_manager find;
-
-# Allow netd to talk to the framework service which collects netd events.
-allow netd netd_listener_service:service_manager find;
-
-# Allow netd to operate on sockets that are passed to it.
-allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
-allow netd netdomain:fd use;
-
-
-###
-### Neverallow rules
-###
-### netd should NEVER do any of this
-
-# Block device access.
-neverallow netd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow netd { domain }:process ptrace;
-
-# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
-
-# only system_server and dumpstate may interact with netd over binder
-neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } netd:binder call;
-neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/neverallow_macros b/neverallow_macros
deleted file mode 100644
index b36cceb..0000000
--- a/neverallow_macros
+++ /dev/null
@@ -1,6 +0,0 @@
-#
-# Common neverallow permissions
-define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
-define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
-define(`no_x_file_perms', `{ execute execute_no_trans }')
-define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
diff --git a/policy_capabilities b/policy_capabilities
deleted file mode 100644
index c7b9d9c..0000000
--- a/policy_capabilities
+++ /dev/null
@@ -1,5 +0,0 @@
-# Enable new networking controls.
-policycap network_peer_controls;
-
-# Enable open permission check.
-policycap open_perms;
diff --git a/access_vectors b/private/access_vectors
similarity index 76%
rename from access_vectors
rename to private/access_vectors
index 26286b2..74cf530 100644
--- a/access_vectors
+++ b/private/access_vectors
@@ -24,7 +24,6 @@
link
rename
execute
- swapon
quotaon
mounton
}
@@ -57,8 +56,6 @@
shutdown
recvfrom
sendto
- recv_msg
- send_msg
name_bind
}
@@ -80,6 +77,60 @@
}
#
+# Define a common for capability access vectors.
+#
+common cap
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the cap2 common.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+common cap2
+{
+ mac_override # unused by SELinux
+ mac_admin # unused by SELinux
+ syslog
+ wake_alarm
+ block_suspend
+ audit_read
+}
+
+#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
@@ -97,7 +148,6 @@
getattr
relabelfrom
relabelto
- transition
associate
quotamod
quotaget
@@ -184,9 +234,6 @@
class tcp_socket
inherits socket
{
- connectto
- newconn
- acceptfrom
node_bind
name_connect
}
@@ -205,29 +252,12 @@
class node
{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- enforce_dest
- dccp_recv
- dccp_send
recvfrom
sendto
}
class netif
{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- dccp_recv
- dccp_send
ingress
egress
}
@@ -245,8 +275,6 @@
inherits socket
{
connectto
- newconn
- acceptfrom
}
class unix_dgram_socket
@@ -356,59 +384,14 @@
}
#
-# Define the access vector interpretation for controling capabilies
+# Define the access vector interpretation for controlling capabilities
#
class capability
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the capability2 class.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
+inherits cap
class capability2
-{
- mac_override # unused by SELinux
- mac_admin # unused by SELinux
- syslog
- wake_alarm
- block_suspend
- audit_read
-}
+inherits cap2
#
# Extended Netlink classes
@@ -420,13 +403,6 @@
nlmsg_write
}
-class netlink_firewall_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
class netlink_tcpdiag_socket
inherits socket
{
@@ -457,13 +433,6 @@
nlmsg_tty_audit
}
-class netlink_ip6fw_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
class netlink_dnrt_socket
inherits socket
@@ -569,6 +538,124 @@
class netlink_crypto_socket
inherits socket
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+ node_bind
+}
+
+class icmp_socket
+inherits socket
+{
+ node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
class property_service
{
set
@@ -581,6 +668,13 @@
list
}
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
class keystore_key
{
get_state
@@ -601,12 +695,7 @@
clear_uid
add_auth
user_changed
-}
-
-class debuggerd
-{
- dump_tombstone
- dump_backtrace
+ gen_unique_id
}
class drmservice {
diff --git a/adbd.te b/private/adbd.te
similarity index 74%
rename from adbd.te
rename to private/adbd.te
index 83a271b..52597eb 100644
--- a/adbd.te
+++ b/private/adbd.te
@@ -1,14 +1,15 @@
-# adbd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type adbd, domain, mlstrustedsubject;
+### ADB daemon
+
+typeattribute adbd coredomain;
+typeattribute adbd mlstrustedsubject;
+
+domain_auto_trans(adbd, shell_exec, shell)
userdebug_or_eng(`
allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
-domain_auto_trans(adbd, shell_exec, shell)
-
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
@@ -22,8 +23,7 @@
# Create and use network sockets.
net_domain(adbd)
-# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
-allow adbd adb_device:chr_file rw_file_perms;
+# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
allow adbd functionfs:file rw_file_perms;
@@ -57,6 +57,9 @@
# Access device logging gating property
get_prop(adbd, device_logging_prop)
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)
+
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
@@ -69,6 +72,9 @@
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
+# Needed for various screenshots
+hal_client_domain(adbd, hal_graphics_allocator)
+
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file r_file_perms;
@@ -82,9 +88,9 @@
')
# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd { app_data_file autoplay_data_file }:dir search;
-allow adbd { app_data_file autoplay_data_file }:sock_file write;
-allow adbd { appdomain autoplay_app }:unix_stream_socket connectto;
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
@@ -94,6 +100,14 @@
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
+
+# Allow pulling config.gz for CTS purposes
+allow adbd config_gz:file r_file_perms;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
@@ -113,3 +127,15 @@
allow adbd media_rw_data_file:file create_file_perms;
r_dir_file(adbd, apk_data_file)
+
+allow adbd rootfs:dir r_dir_perms;
+
+###
+### Neverallow rules
+###
+
+# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
+# transitions to the shell domain (except when it crashes). In particular, we
+# never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/app.te b/private/app.te
similarity index 69%
rename from app.te
rename to private/app.te
index e9dd7b3..4b9d87d 100644
--- a/app.te
+++ b/private/app.te
@@ -7,6 +7,10 @@
### zygote spawned apps should be added here.
###
+# TODO: deal with tmpfs_domain pub/priv split properly
+# Read system properties managed by zygote.
+allow appdomain zygote_tmpfs:file read;
+
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
@@ -19,9 +23,6 @@
# valgrind needs mmap exec for zygote
allow appdomain zygote_exec:file rx_file_perms;
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
# Notify zygote of death;
allow appdomain zygote:process sigchld;
@@ -34,8 +35,8 @@
allow appdomain dalvikcache_data_file:file r_file_perms;
# Read the /sdcard and /mnt/sdcard symlinks
-allow appdomain rootfs:lnk_file r_file_perms;
-allow appdomain tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
allow appdomain tmpfs:dir r_dir_perms;
@@ -57,6 +58,7 @@
allow appdomain devpts:chr_file { getattr read write ioctl };
# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file rw_file_perms;
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
@@ -67,34 +69,59 @@
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+# Query whether a Surface supports wide color
+allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
# App sandbox file accesses.
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
-# lib subdirectory of /data/data dir is system-owned.
-allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute execute_no_trans open execmod };
-
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
# Keychain and user-trusted credentials
-allow appdomain keychain_data_file:dir r_dir_perms;
-allow appdomain keychain_data_file:file r_file_perms;
+r_dir_file(appdomain, keychain_data_file)
allow appdomain misc_user_data_file:dir r_dir_perms;
allow appdomain misc_user_data_file:file r_file_perms;
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
# Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms;
# Execute the shell or other system executables.
-allow appdomain shell_exec:file rx_file_perms;
-allow appdomain system_file:file rx_file_perms;
-allow appdomain toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
# Renderscript needs the ability to read directories on /system
-r_dir_file(appdomain, system_file)
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
@@ -124,13 +151,6 @@
# Write profiles /data/misc/profiles
allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file create_file_perms;
-# Profiles for foreign dex files are just markers and only need create permissions.
-allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
-allow appdomain user_profile_foreign_dex_data_file:file create;
-# There is no way to create user_profile_foreign_dex_data_file without
-# generating open/read denials. These permissions should not be granted and the
-# denial is harmless. dontaudit to suppress the denial.
-dontaudit appdomain user_profile_foreign_dex_data_file:file { open read };
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
@@ -142,6 +162,8 @@
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
+# read /proc/net/xt_qtguid/stats
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
@@ -156,6 +178,17 @@
binder_call(appdomain, binderservicedomain)
# Perform binder IPC to other apps.
binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
@@ -169,39 +202,44 @@
allow appdomain cache_backup_file:file { read write getattr };
allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file getattr;
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow appdomain media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow appdomain radio_data_file:file { read write getattr };
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow appdomain storage_file:dir r_dir_perms;
-allow appdomain storage_file:lnk_file r_file_perms;
-allow appdomain mnt_user_file:dir r_dir_perms;
-allow appdomain mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow appdomain fuse:dir create_dir_perms;
-allow appdomain fuse:file create_file_perms;
-allow appdomain sdcardfs:dir create_dir_perms;
-allow appdomain sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
-allow appdomain vfat:dir r_dir_perms;
-allow appdomain vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow appdomain usb_device:chr_file { read write getattr ioctl };
-allow appdomain usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
# For art.
allow appdomain dalvikcache_data_file:file execute;
@@ -213,7 +251,7 @@
# Allow apps to read/execute installed binaries
allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file { rx_file_perms execmod };
+allow appdomain apk_data_file:file rx_file_perms;
# /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms;
@@ -221,13 +259,13 @@
# logd access
read_logd(appdomain)
-control_logd(appdomain)
+control_logd({ appdomain -ephemeral_app untrusted_v2_app })
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
-allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-use_keystore({ appdomain -isolated_app })
+use_keystore({ appdomain -isolated_app -ephemeral_app })
allow appdomain console_device:chr_file { read write };
@@ -236,10 +274,37 @@
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+# TODO is write really necessary ?
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+
+# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
+
+# Allow app access to mediacodec (IOMX HAL)
+binder_call({ appdomain -isolated_app }, mediacodec)
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write };
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
+
###
### CTS-specific rules
###
@@ -256,7 +321,7 @@
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
@@ -285,7 +350,6 @@
audio_device
camera_device
dm_device
- gps_device
radio_device
rpmsg_device
video_device
@@ -303,12 +367,10 @@
# Privileged netlink socket interfaces.
neverallow appdomain
domain:{
- netlink_firewall_socket
netlink_tcpdiag_socket
netlink_nflog_socket
netlink_xfrm_socket
netlink_audit_socket
- netlink_ip6fw_socket
netlink_dnrt_socket
} *;
@@ -322,7 +384,6 @@
# Unix domain sockets.
neverallow appdomain adbd_socket:sock_file write;
-neverallow appdomain installd_socket:sock_file write;
neverallow { appdomain -radio } rild_socket:sock_file write;
neverallow appdomain vold_socket:sock_file write;
neverallow appdomain zygote_socket:sock_file write;
@@ -341,10 +402,12 @@
{ sigkill sigstop signal };
# Transition to a non-app domain.
-# Exception for the shell domain and the su domain, can transition to runas,
-# etc.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+ { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
- { transition dyntransition };
+ { dyntransition };
# Write to rootfs.
neverallow appdomain rootfs:dir_file_class_set
@@ -368,9 +431,6 @@
# Write to various other parts of /data.
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -system_app }
- gps_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
@@ -417,10 +477,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app }
- kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -shell }
- kernel:system syslog_read;
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
@@ -434,7 +491,6 @@
dev_type
rootfs
system_file
- security_file
tmpfs
}:lnk_file no_w_file_perms;
@@ -453,6 +509,16 @@
-apk_data_file
}:file no_x_file_perms;
-# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
-neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
-neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
+# Applications should use the activity model for receiving events
+neverallow {
+ appdomain
+ -shell # bugreport
+} input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+ appdomain
+ -bluetooth
+ -system_app
+} bluetooth_prop:file create_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
new file mode 100644
index 0000000..0917724
--- /dev/null
+++ b/private/app_neverallows.te
@@ -0,0 +1,172 @@
+###
+### neverallow rules for untrusted app domains
+###
+
+# Only allow domains in AOSP to use the untrusted_app_all attribute.
+neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
+
+define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
+# Receive or send uevent messages.
+neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow all_untrusted_apps domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow all_untrusted_apps debugfs_type:file read;
+
+# Do not allow untrusted apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow all_untrusted_apps service_manager_type:service_manager add;
+
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
+# Do not allow untrusted apps to connect to the property service
+# or set properties. b/10243159
+neverallow all_untrusted_apps property_socket:sock_file write;
+neverallow all_untrusted_apps init:unix_stream_socket connectto;
+neverallow all_untrusted_apps property_type:property_service set;
+
+# Do not allow untrusted apps to be assigned mlstrustedsubject.
+# This would undermine the per-user isolation model being
+# enforced via levelFrom=user in seapp_contexts and the mls
+# constraints. As there is no direct way to specify a neverallow
+# on attribute assignment, this relies on the fact that fork
+# permission only makes sense within a domain (hence should
+# never be granted to any other domain within mlstrustedsubject)
+# and an untrusted app is allowed fork permission to itself.
+neverallow all_untrusted_apps mlstrustedsubject:process fork;
+
+# Do not allow untrusted apps to hard link to any files.
+# In particular, if an untrusted app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure untrusted apps never have this
+# capability.
+neverallow all_untrusted_apps file_type:file link;
+
+# Do not allow untrusted apps to access network MAC address file
+neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow all_untrusted_apps *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+
+# Do not allow untrusted apps access to /cache
+neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
+
+# Do not allow untrusted apps to create/unlink files outside of its sandbox,
+# internal storage or sdcard.
+# World accessible data locations allow application to fill the device
+# with unaccounted for data. This data will not get removed during
+# application un-installation.
+neverallow all_untrusted_apps {
+ fs_type
+ -fuse # sdcard
+ -sdcardfs # sdcard
+ -vfat
+ file_type
+ -app_data_file # The apps sandbox itself
+ -media_rw_data_file # Internal storage. Known that apps can
+ # leave artfacts here after uninstall.
+ -user_profile_data_file # Access to profile files
+ userdebug_or_eng(`
+ -method_trace_data_file # only on ro.debuggable=1
+ -coredump_file # userdebug/eng only
+ ')
+}:dir_file_class_set { create unlink };
+
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
+# Do not allow untrusted apps to directly open tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+neverallow all_untrusted_apps anr_data_file:file ~{ open append };
+neverallow all_untrusted_apps anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
+# Do not allow untrusted apps access to preloads data files
+neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
+
+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
+# Do not permit access from apps which host arbitrary code to HwBinder services,
+# except those considered sufficiently safe for access from such apps.
+# The two main reasons for this are:
+# 1. HwBinder servers do not perform client authentication because HIDL
+# currently does not expose caller UID information and, even if it did, many
+# HwBinder services either operate at a level below that of apps (e.g., HALs)
+# or must not rely on app identity for authorization. Thus, to be safe, the
+# default assumption is that every HwBinder service treats all its clients as
+# equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+# incidence rate of security issues than system/core components and have
+# access to lower layes of the stack (all the way down to hardware) thus
+# increasing opportunities for bypassing the Android security model.
+neverallow all_untrusted_apps {
+ hwservice_manager_type
+ # Same process services are safe because they by definition run in the process
+ # of the client and thus have the same access as the client domain in which
+ # the process runs
+ -same_process_hwservice
+ -coredomain_hwservice # neverallows for coredomain HwBinder services are below
+ -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
+ # These operations are also offered by surfaceflinger Binder service which
+ # apps are permitted to access
+ -hal_graphics_allocator_hwservice
+ # HwBinder version of mediacodec Binder service which apps were permitted to
+ # access
+ -hal_omx_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+ coredomain_hwservice
+ -same_process_hwservice
+ -hidl_allocator_hwservice # Designed for use by any domain
+ -hidl_manager_hwservice # Designed for use by any domain
+ -hidl_memory_hwservice # Designed for use by any domain
+ -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
+# Restrict *Binder access from apps to HAL domains. We can only do this on full
+# Treble devices where *Binder communications between apps and HALs are tightly
+# restricted.
+full_treble_only(`
+ neverallow all_untrusted_apps {
+ halserverdomain
+ -coredomain
+ -hal_configstore_server
+ -hal_graphics_allocator_server
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ }:binder { call transfer };
+')
diff --git a/private/asan_extract.te b/private/asan_extract.te
new file mode 100644
index 0000000..1c20d78
--- /dev/null
+++ b/private/asan_extract.te
@@ -0,0 +1,8 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
+')
diff --git a/atrace.te b/private/atrace.te
similarity index 91%
rename from atrace.te
rename to private/atrace.te
index 31cf9e7..94d8483 100644
--- a/atrace.te
+++ b/private/atrace.te
@@ -1,9 +1,10 @@
# Domain for atrace process spawned by boottrace service.
+
type atrace_exec, exec_type, file_type;
userdebug_or_eng(`
+ type atrace, domain, coredomain, domain_deprecated;
- type atrace, domain, domain_deprecated;
init_daemon_domain(atrace)
# boottrace services uses /data/misc/boottrace/categories
@@ -20,5 +21,4 @@
binder_use(atrace)
allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
-
')
diff --git a/private/attributes b/private/attributes
new file mode 100644
index 0000000..fcbfecf
--- /dev/null
+++ b/private/attributes
@@ -0,0 +1,9 @@
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;
diff --git a/private/audioserver.te b/private/audioserver.te
new file mode 100644
index 0000000..9119daa
--- /dev/null
+++ b/private/audioserver.te
@@ -0,0 +1,66 @@
+# audioserver - audio services daemon
+
+typeattribute audioserver coredomain;
+
+type audioserver_exec, exec_type, file_type;
+init_daemon_domain(audioserver)
+
+r_dir_file(audioserver, sdcard_type)
+
+binder_use(audioserver)
+binder_call(audioserver, binderservicedomain)
+binder_call(audioserver, appdomain)
+binder_service(audioserver)
+
+hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
+hal_client_domain(audioserver, hal_audio)
+
+userdebug_or_eng(`
+ # used for TEE sink - pcm capture for debug.
+ allow audioserver media_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:file create_file_perms;
+
+ # ptrace to processes in the same domain for memory leak detection
+ allow audioserver self:process ptrace;
+')
+
+add_service(audioserver, audioserver_service)
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
+
+# Grant access to audio files to audioserver
+allow audioserver audio_data_file:dir ra_dir_perms;
+allow audioserver audio_data_file:file create_file_perms;
+
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file { read write };
+
+# For A2DP bridge which is loaded directly into audioserver
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
+###
+### neverallow rules
+###
+
+# audioserver should never execute any executable without a
+# domain transition
+neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/private/binder_in_vendor_violators.te b/private/binder_in_vendor_violators.te
new file mode 100644
index 0000000..4a1218e
--- /dev/null
+++ b/private/binder_in_vendor_violators.te
@@ -0,0 +1 @@
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/binderservicedomain.te b/private/binderservicedomain.te
similarity index 69%
rename from binderservicedomain.te
rename to private/binderservicedomain.te
index a2157a4..0891ee5 100644
--- a/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -1,9 +1,9 @@
# Rules common to all binder service domains
-# Allow dumpstate to collect information from binder services
-allow binderservicedomain dumpstate:fd use;
-allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
-allow binderservicedomain dumpstate:fifo_file { getattr write };
+# Allow dumpstate and incidentd to collect information from binder services
+allow binderservicedomain { dumpstate incidentd }:fd use;
+allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
allow binderservicedomain shell_data_file:file { getattr write };
# Allow dumpsys to work from adb shell or the serial console
diff --git a/blkid.te b/private/blkid.te
similarity index 94%
rename from blkid.te
rename to private/blkid.te
index 43bc944..090912b 100644
--- a/blkid.te
+++ b/private/blkid.te
@@ -1,5 +1,7 @@
# blkid called from vold
-type blkid, domain, domain_deprecated;
+
+typeattribute blkid coredomain;
+
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
diff --git a/blkid_untrusted.te b/private/blkid_untrusted.te
similarity index 95%
rename from blkid_untrusted.te
rename to private/blkid_untrusted.te
index da3bdac..1256771 100644
--- a/blkid_untrusted.te
+++ b/private/blkid_untrusted.te
@@ -1,5 +1,6 @@
# blkid for untrusted block devices
-type blkid_untrusted, domain, domain_deprecated;
+
+typeattribute blkid_untrusted coredomain;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
diff --git a/bluetooth.te b/private/bluetooth.te
similarity index 70%
rename from bluetooth.te
rename to private/bluetooth.te
index a5b4d71..1c0e14f 100644
--- a/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,8 +1,17 @@
# bluetooth subsystem
-type bluetooth, domain, domain_deprecated;
+
+typeattribute bluetooth coredomain;
+typeattribute bluetooth domain_deprecated;
+
app_domain(bluetooth)
net_domain(bluetooth)
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
+
+# Allow access to net_admin ioctls
+allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
+
wakelock_use(bluetooth);
# Data file accesses.
@@ -12,26 +21,21 @@
allow bluetooth bluetooth_logs_data_file:file create_file_perms;
# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
allow bluetooth bluetooth_socket:sock_file create_file_perms;
-# bluetooth factory file accesses.
-r_dir_file(bluetooth, bluetooth_efs_file)
-
-allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;
allow bluetooth self:capability2 wake_alarm;
# tethering
-allow bluetooth self:packet_socket create_socket_perms;
+allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
allow bluetooth self:capability { net_admin net_raw net_bind_service };
-allow bluetooth self:tun_socket create_socket_perms;
+allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
+# allow Bluetooth to access uhid device for HID profile
+allow bluetooth uhid_device:chr_file rw_file_perms;
+
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
@@ -48,19 +52,18 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
-# Bluetooth Sim Access Profile Socket to the RIL
-unix_socket_connect(bluetooth, sap_uim, rild)
-
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow bluetooth media_rw_data_file:dir create_dir_perms;
-allow bluetooth media_rw_data_file:file create_file_perms;
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:capability sys_nice;
+
+hal_client_domain(bluetooth, hal_bluetooth)
+hal_client_domain(bluetooth, hal_telephony)
+
+read_runtime_log_tags(bluetooth)
###
### Neverallow rules
@@ -69,6 +72,6 @@
###
# Superuser capabilities.
-# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/bluetoothdomain.te b/private/bluetoothdomain.te
similarity index 100%
rename from bluetoothdomain.te
rename to private/bluetoothdomain.te
diff --git a/private/bootanim.te b/private/bootanim.te
new file mode 100644
index 0000000..8c9f6c7
--- /dev/null
+++ b/private/bootanim.te
@@ -0,0 +1,3 @@
+typeattribute bootanim coredomain;
+
+init_daemon_domain(bootanim)
diff --git a/private/bootstat.te b/private/bootstat.te
new file mode 100644
index 0000000..806144c
--- /dev/null
+++ b/private/bootstat.te
@@ -0,0 +1,3 @@
+typeattribute bootstat coredomain;
+
+init_daemon_domain(bootstat)
diff --git a/private/bufferhubd.te b/private/bufferhubd.te
new file mode 100644
index 0000000..012eb20
--- /dev/null
+++ b/private/bufferhubd.te
@@ -0,0 +1,3 @@
+typeattribute bufferhubd coredomain;
+
+init_daemon_domain(bufferhubd)
diff --git a/private/cameraserver.te b/private/cameraserver.te
new file mode 100644
index 0000000..c16c132
--- /dev/null
+++ b/private/cameraserver.te
@@ -0,0 +1,3 @@
+typeattribute cameraserver coredomain;
+
+init_daemon_domain(cameraserver)
diff --git a/private/charger.te b/private/charger.te
new file mode 100644
index 0000000..65109de
--- /dev/null
+++ b/private/charger.te
@@ -0,0 +1 @@
+typeattribute charger coredomain;
diff --git a/private/clatd.te b/private/clatd.te
new file mode 100644
index 0000000..c09398d
--- /dev/null
+++ b/private/clatd.te
@@ -0,0 +1,2 @@
+typeattribute clatd coredomain;
+typeattribute clatd domain_deprecated;
diff --git a/private/cppreopts.te b/private/cppreopts.te
new file mode 100644
index 0000000..34f0d66
--- /dev/null
+++ b/private/cppreopts.te
@@ -0,0 +1,6 @@
+typeattribute cppreopts coredomain;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
diff --git a/private/crash_dump.te b/private/crash_dump.te
new file mode 100644
index 0000000..fb73f08
--- /dev/null
+++ b/private/crash_dump.te
@@ -0,0 +1 @@
+typeattribute crash_dump coredomain;
diff --git a/private/dex2oat.te b/private/dex2oat.te
new file mode 100644
index 0000000..89c3970
--- /dev/null
+++ b/private/dex2oat.te
@@ -0,0 +1,2 @@
+typeattribute dex2oat coredomain;
+typeattribute dex2oat domain_deprecated;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
new file mode 100644
index 0000000..db81d0d
--- /dev/null
+++ b/private/dexoptanalyzer.te
@@ -0,0 +1,26 @@
+# dexoptanalyzer
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
+type dexoptanalyzer_exec, exec_type, file_type;
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexoptanalyzer vs other
+#processes.
+tmpfs_domain(dexoptanalyzer)
+
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
+# app_data_file the oat file is symlinked to the original file in /system.
+allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
+allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
+allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
+
+allow dexoptanalyzer installd:fd use;
+
+# Allow reading secondary dex files that were reported by the app to the
+# package manager.
+allow dexoptanalyzer app_data_file:dir { getattr search };
+allow dexoptanalyzer app_data_file:file r_file_perms;
+
+# Allow testing /data/user/0 which symlinks to /data/data
+allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/dhcp.te b/private/dhcp.te
new file mode 100644
index 0000000..6a6a139
--- /dev/null
+++ b/private/dhcp.te
@@ -0,0 +1,5 @@
+typeattribute dhcp coredomain;
+typeattribute dhcp domain_deprecated;
+
+init_daemon_domain(dhcp)
+type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/private/dnsmasq.te b/private/dnsmasq.te
new file mode 100644
index 0000000..96084b4
--- /dev/null
+++ b/private/dnsmasq.te
@@ -0,0 +1 @@
+typeattribute dnsmasq coredomain;
diff --git a/private/domain.te b/private/domain.te
new file mode 100644
index 0000000..d37a0bd
--- /dev/null
+++ b/private/domain.te
@@ -0,0 +1,18 @@
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+domain_auto_trans(domain, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
+
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these whitelisted domains.
+neverallow {
+ domain
+ -vold
+ -dumpstate
+ -storaged
+ -system_server
+ userdebug_or_eng(`-perfprofd')
+} self:capability sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
new file mode 100644
index 0000000..aefb724
--- /dev/null
+++ b/private/domain_deprecated.te
@@ -0,0 +1,311 @@
+# rules removed from the domain attribute
+
+# Search /storage/emulated tmpfs mount.
+allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -sdcardd
+ -surfaceflinger
+ -system_server
+ -vold
+ -zygote
+} tmpfs:dir r_dir_perms;
+')
+
+# Inherit or receive open files from others.
+allow domain_deprecated system_server:fd use;
+userdebug_or_eng(`
+auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
+')
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow domain_deprecated adbd:fd use;
+userdebug_or_eng(`
+auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+')
+
+# Root fs.
+allow domain_deprecated rootfs:dir r_dir_perms;
+allow domain_deprecated rootfs:file r_file_perms;
+allow domain_deprecated rootfs:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -fsck
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+')
+
+# System file accesses.
+allow domain_deprecated system_file:dir r_dir_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -fingerprintd
+ -installd
+ -keystore
+ -surfaceflinger
+ -system_server
+ -update_engine
+ -vold
+ -zygote
+} system_file:dir { open read ioctl lock }; # search getattr in domain
+')
+
+# Read files already opened under /data.
+allow domain_deprecated system_data_file:file { getattr read };
+allow domain_deprecated system_data_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -sdcardd
+ -system_server
+ -tee
+} system_data_file:file { getattr read };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -system_server
+ -tee
+} system_data_file:lnk_file r_file_perms;
+')
+
+# Read apk files under /data/app.
+allow domain_deprecated apk_data_file:dir { getattr search };
+allow domain_deprecated apk_data_file:file r_file_perms;
+allow domain_deprecated apk_data_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:dir { getattr search };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:lnk_file r_file_perms;
+')
+
+# Read already opened /cache files.
+allow domain_deprecated cache_file:dir r_dir_perms;
+allow domain_deprecated cache_file:file { getattr read };
+allow domain_deprecated cache_file:lnk_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:dir { open read search ioctl lock };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -system_server
+ -vold
+} cache_file:dir getattr;
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:file { getattr read };
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:lnk_file r_file_perms;
+')
+
+# Allow access to ion memory allocation device
+allow domain_deprecated ion_device:chr_file rw_file_perms;
+# split this auditallow into read and write perms since most domains seem to
+# only require read
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -fingerprintd
+ -keystore
+ -surfaceflinger
+ -system_server
+ -tee
+ -vold
+ -zygote
+} ion_device:chr_file r_file_perms;
+auditallow domain_deprecated ion_device:chr_file { write append };
+')
+
+# Read access to pseudo filesystems.
+r_dir_file(domain_deprecated, proc)
+r_dir_file(domain_deprecated, sysfs)
+r_dir_file(domain_deprecated, cgroup)
+allow domain_deprecated proc_meminfo:file r_file_perms;
+
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -fsck
+ -fsck_untrusted
+ -sdcardd
+ -system_server
+ -update_engine
+ -vold
+} proc:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -fsck
+ -fsck_untrusted
+ -system_server
+ -vold
+} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+} sysfs:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dumpstate
+ -fingerprintd
+ -healthd
+ -inputflinger
+ -installd
+ -keystore
+ -netd
+ -surfaceflinger
+ -system_server
+ -zygote
+} cgroup:dir r_dir_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dumpstate
+ -fingerprintd
+ -healthd
+ -inputflinger
+ -installd
+ -keystore
+ -netd
+ -surfaceflinger
+ -system_server
+ -zygote
+} cgroup:{ file lnk_file } r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -surfaceflinger
+ -system_server
+ -vold
+} proc_meminfo:file r_file_perms;
+')
+
+# Get SELinux enforcing status.
+allow domain_deprecated selinuxfs:dir r_dir_perms;
+allow domain_deprecated selinuxfs:file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -keystore
+ -postinstall_dexopt
+ -runas
+ -servicemanager
+ -system_server
+ -ueventd
+ -zygote
+} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -keystore
+ -postinstall_dexopt
+ -runas
+ -servicemanager
+ -system_server
+ -ueventd
+ -zygote
+} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+')
diff --git a/private/drmserver.te b/private/drmserver.te
new file mode 100644
index 0000000..afe4f0a
--- /dev/null
+++ b/private/drmserver.te
@@ -0,0 +1,7 @@
+typeattribute drmserver coredomain;
+
+init_daemon_domain(drmserver)
+
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
diff --git a/private/dumpstate.te b/private/dumpstate.te
new file mode 100644
index 0000000..0fe2adf
--- /dev/null
+++ b/private/dumpstate.te
@@ -0,0 +1,26 @@
+typeattribute dumpstate coredomain;
+typeattribute dumpstate domain_deprecated;
+
+init_daemon_domain(dumpstate)
+
+# Execute and transition to the vdc domain
+domain_auto_trans(dumpstate, vdc_exec, vdc)
+
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+allow dumpstate dumpstate_tmpfs:file execute;
+
+# systrace support - allow atrace to run
+allow dumpstate debugfs_tracing:dir r_dir_perms;
+allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_trace_marker:file getattr;
+allow dumpstate atrace_exec:file rx_file_perms;
+allow dumpstate storaged_exec:file rx_file_perms;
+
+# Allow dumpstate to make binder calls to storaged service
+binder_call(dumpstate, storaged)
+
+# Collect metrics on boot time created by init
+get_prop(dumpstate, boottime_prop)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
new file mode 100644
index 0000000..2d4b1f1
--- /dev/null
+++ b/private/ephemeral_app.te
@@ -0,0 +1,67 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+
+typeattribute ephemeral_app coredomain;
+
+net_domain(ephemeral_app)
+app_domain(ephemeral_app)
+
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
+# services
+allow ephemeral_app audioserver_service:service_manager find;
+allow ephemeral_app cameraserver_service:service_manager find;
+allow ephemeral_app mediaserver_service:service_manager find;
+allow ephemeral_app mediaextractor_service:service_manager find;
+allow ephemeral_app mediacodec_service:service_manager find;
+allow ephemeral_app mediametrics_service:service_manager find;
+allow ephemeral_app mediacasserver_service:service_manager find;
+allow ephemeral_app surfaceflinger_service:service_manager find;
+allow ephemeral_app radio_service:service_manager find;
+allow ephemeral_app ephemeral_app_api_service:service_manager find;
+
+###
+### neverallow rules
+###
+
+# Executable content should never be loaded from an ephemeral app home directory.
+neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
+
+# Receive or send uevent messages.
+neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow ephemeral_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow ephemeral_app debugfs:file read;
+
+# execute gpu_device
+neverallow ephemeral_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/private/file.te b/private/file.te
new file mode 100644
index 0000000..da5f9ad
--- /dev/null
+++ b/private/file.te
@@ -0,0 +1,7 @@
+# Compatibility with type names used in vanilla Android 4.3 and 4.4.
+typealias audio_data_file alias audio_firmware_file;
+typealias app_data_file alias platform_app_data_file;
+typealias app_data_file alias download_file;
+
+# /proc/config.gz
+type config_gz, fs_type;
diff --git a/private/file_contexts b/private/file_contexts
new file mode 100644
index 0000000..b13807f
--- /dev/null
+++ b/private/file_contexts
@@ -0,0 +1,539 @@
+###########################################
+# Root
+/ u:object_r:rootfs:s0
+
+# Data files
+/adb_keys u:object_r:adb_keys_file:s0
+/build\.prop u:object_r:rootfs:s0
+/default\.prop u:object_r:rootfs:s0
+/fstab\..* u:object_r:rootfs:s0
+/init\..* u:object_r:rootfs:s0
+/res(/.*)? u:object_r:rootfs:s0
+/selinux_version u:object_r:rootfs:s0
+/ueventd\..* u:object_r:rootfs:s0
+/verity_key u:object_r:rootfs:s0
+
+# Executables
+/charger u:object_r:rootfs:s0
+/init u:object_r:init_exec:s0
+/sbin(/.*)? u:object_r:rootfs:s0
+
+# For kernel modules
+/lib(/.*)? u:object_r:rootfs:s0
+
+# Empty directories
+/lost\+found u:object_r:rootfs:s0
+/acct u:object_r:cgroup:s0
+/config u:object_r:rootfs:s0
+/mnt u:object_r:tmpfs:s0
+/postinstall u:object_r:postinstall_mnt_dir:s0
+/proc u:object_r:rootfs:s0
+/root u:object_r:rootfs:s0
+/sys u:object_r:sysfs:s0
+
+# Symlinks
+/bugreports u:object_r:rootfs:s0
+/d u:object_r:rootfs:s0
+/etc u:object_r:rootfs:s0
+/sdcard u:object_r:rootfs:s0
+
+# SELinux policy files
+/file_contexts\.bin u:object_r:file_contexts_file:s0
+/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/plat_file_contexts u:object_r:file_contexts_file:s0
+/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_property_contexts u:object_r:property_contexts_file:s0
+/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/seapp_contexts u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/sepolicy u:object_r:sepolicy_file:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vndservice_contexts u:object_r:vndservice_contexts_file:s0
+
+##########################
+# Devices
+#
+/dev(/.*)? u:object_r:device:s0
+/dev/akm8973.* u:object_r:sensors_device:s0
+/dev/accelerometer u:object_r:sensors_device:s0
+/dev/adf[0-9]* u:object_r:graphics_device:s0
+/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
+/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
+/dev/alarm u:object_r:alarm_device:s0
+/dev/ashmem u:object_r:ashmem_device:s0
+/dev/audio.* u:object_r:audio_device:s0
+/dev/binder u:object_r:binder_device:s0
+/dev/block(/.*)? u:object_r:block_device:s0
+/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
+/dev/block/loop[0-9]* u:object_r:loop_device:s0
+/dev/block/vold/.+ u:object_r:vold_device:s0
+/dev/block/ram[0-9]* u:object_r:ram_device:s0
+/dev/block/zram[0-9]* u:object_r:ram_device:s0
+/dev/bus/usb(.*)? u:object_r:usb_device:s0
+/dev/cam u:object_r:camera_device:s0
+/dev/console u:object_r:console_device:s0
+/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
+/dev/device-mapper u:object_r:dm_device:s0
+/dev/eac u:object_r:audio_device:s0
+/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
+/dev/full u:object_r:full_device:s0
+/dev/fuse u:object_r:fuse_device:s0
+/dev/graphics(/.*)? u:object_r:graphics_device:s0
+/dev/hw_random u:object_r:hw_random_device:s0
+/dev/hwbinder u:object_r:hwbinder_device:s0
+/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
+/dev/input(/.*) u:object_r:input_device:s0
+/dev/iio:device[0-9]+ u:object_r:iio_device:s0
+/dev/ion u:object_r:ion_device:s0
+/dev/keychord u:object_r:keychord_device:s0
+/dev/kmem u:object_r:kmem_device:s0
+/dev/log(/.*)? u:object_r:log_device:s0
+/dev/loop-control u:object_r:loop_control_device:s0
+/dev/mem u:object_r:kmem_device:s0
+/dev/modem.* u:object_r:radio_device:s0
+/dev/mtd(/.*)? u:object_r:mtd_device:s0
+/dev/mtp_usb u:object_r:mtp_device:s0
+/dev/pmsg0 u:object_r:pmsg_device:s0
+/dev/pn544 u:object_r:nfc_device:s0
+/dev/port u:object_r:port_device:s0
+/dev/ppp u:object_r:ppp_device:s0
+/dev/ptmx u:object_r:ptmx_device:s0
+/dev/pvrsrvkm u:object_r:gpu_device:s0
+/dev/kmsg u:object_r:kmsg_device:s0
+/dev/null u:object_r:null_device:s0
+/dev/nvhdcp1 u:object_r:video_device:s0
+/dev/random u:object_r:random_device:s0
+/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
+/dev/rproc_user u:object_r:rpmsg_device:s0
+/dev/rtc[0-9] u:object_r:rtc_device:s0
+/dev/snd(/.*)? u:object_r:audio_device:s0
+/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
+/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
+/dev/socket(/.*)? u:object_r:socket_device:s0
+/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/cryptd u:object_r:vold_socket:s0
+/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
+/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
+/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
+/dev/socket/lmkd u:object_r:lmkd_socket:s0
+/dev/socket/logd u:object_r:logd_socket:s0
+/dev/socket/logdr u:object_r:logdr_socket:s0
+/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/mdns u:object_r:mdns_socket:s0
+/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
+/dev/socket/mtpd u:object_r:mtpd_socket:s0
+/dev/socket/netd u:object_r:netd_socket:s0
+/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
+/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
+/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
+/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
+/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/racoon u:object_r:racoon_socket:s0
+/dev/socket/rild u:object_r:rild_socket:s0
+/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
+/dev/socket/vold u:object_r:vold_socket:s0
+/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
+/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
+/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
+/dev/socket/zygote u:object_r:zygote_socket:s0
+/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
+/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/tegra.* u:object_r:video_device:s0
+/dev/tty u:object_r:owntty_device:s0
+/dev/tty[0-9]* u:object_r:tty_device:s0
+/dev/ttyS[0-9]* u:object_r:serial_device:s0
+/dev/tun u:object_r:tun_device:s0
+/dev/uhid u:object_r:uhid_device:s0
+/dev/uinput u:object_r:uhid_device:s0
+/dev/uio[0-9]* u:object_r:uio_device:s0
+/dev/urandom u:object_r:random_device:s0
+/dev/usb_accessory u:object_r:usbaccessory_device:s0
+/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
+/dev/video[0-9]* u:object_r:video_device:s0
+/dev/vndbinder u:object_r:vndbinder_device:s0
+/dev/watchdog u:object_r:watchdog_device:s0
+/dev/xt_qtaguid u:object_r:qtaguid_device:s0
+/dev/zero u:object_r:zero_device:s0
+/dev/__properties__ u:object_r:properties_device:s0
+#############################
+# System files
+#
+/system(/.*)? u:object_r:system_file:s0
+/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/e2fsck -- u:object_r:fsck_exec:s0
+/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
+/system/bin/tune2fs -- u:object_r:fsck_exec:s0
+/system/bin/toolbox -- u:object_r:toolbox_exec:s0
+/system/bin/toybox -- u:object_r:toolbox_exec:s0
+/system/bin/logcat -- u:object_r:logcat_exec:s0
+/system/bin/logcatd -- u:object_r:logcat_exec:s0
+/system/bin/sh -- u:object_r:shell_exec:s0
+/system/bin/run-as -- u:object_r:runas_exec:s0
+/system/bin/bootanimation u:object_r:bootanim_exec:s0
+/system/bin/bootstat u:object_r:bootstat_exec:s0
+/system/bin/app_process32 u:object_r:zygote_exec:s0
+/system/bin/app_process64 u:object_r:zygote_exec:s0
+/system/bin/servicemanager u:object_r:servicemanager_exec:s0
+/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
+/system/bin/performanced u:object_r:performanced_exec:s0
+/system/bin/drmserver u:object_r:drmserver_exec:s0
+/system/bin/dumpstate u:object_r:dumpstate_exec:s0
+/system/bin/incident u:object_r:incident_exec:s0
+/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
+/system/bin/vold u:object_r:vold_exec:s0
+/system/bin/netd u:object_r:netd_exec:s0
+/system/bin/wificond u:object_r:wificond_exec:s0
+/system/bin/audioserver u:object_r:audioserver_exec:s0
+/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
+/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mediametrics u:object_r:mediametrics_exec:s0
+/system/bin/cameraserver u:object_r:cameraserver_exec:s0
+/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
+/system/bin/mdnsd u:object_r:mdnsd_exec:s0
+/system/bin/installd u:object_r:installd_exec:s0
+/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
+/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
+/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
+/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
+/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
+/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
+/system/bin/tombstoned u:object_r:tombstoned_exec:s0
+/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
+/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
+/system/bin/sdcard u:object_r:sdcardd_exec:s0
+/system/bin/dhcpcd u:object_r:dhcp_exec:s0
+/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
+/system/bin/mtpd u:object_r:mtp_exec:s0
+/system/bin/pppd u:object_r:ppp_exec:s0
+/system/bin/racoon u:object_r:racoon_exec:s0
+/system/xbin/su u:object_r:su_exec:s0
+/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
+/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
+/system/bin/healthd u:object_r:healthd_exec:s0
+/system/bin/clatd u:object_r:clatd_exec:s0
+/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/inputflinger u:object_r:inputflinger_exec:s0
+/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/uncrypt u:object_r:uncrypt_exec:s0
+/system/bin/update_verifier u:object_r:update_verifier_exec:s0
+/system/bin/logwrapper u:object_r:system_file:s0
+/system/bin/vdc u:object_r:vdc_exec:s0
+/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
+/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
+/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+# patchoat executable has (essentially) the same requirements as dex2oat.
+/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/profman u:object_r:profman_exec:s0
+/system/bin/sgdisk u:object_r:sgdisk_exec:s0
+/system/bin/blkid u:object_r:blkid_exec:s0
+/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/update_engine u:object_r:update_engine_exec:s0
+/system/bin/bspatch u:object_r:update_engine_exec:s0
+/system/bin/storaged u:object_r:storaged_exec:s0
+/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
+/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
+/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
+
+#############################
+# Vendor files
+#
+/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
+/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
+# TODO: b/36790901 move this to /vendor/etc
+/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
+
+#############################
+# OEM and ODM files
+#
+/odm(/.*)? u:object_r:system_file:s0
+/oem(/.*)? u:object_r:oemfs:s0
+
+
+#############################
+# Data files
+#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
+/data(/.*)? u:object_r:system_data_file:s0
+/data/.layout_version u:object_r:install_data_file:s0
+/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
+/data/backup(/.*)? u:object_r:backup_data_file:s0
+/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
+/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
+/data/drm(/.*)? u:object_r:drm_data_file:s0
+/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
+/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/ota(/.*)? u:object_r:ota_data_file:s0
+/data/ota_package(/.*)? u:object_r:ota_package_file:s0
+/data/adb(/.*)? u:object_r:adb_data_file:s0
+/data/anr(/.*)? u:object_r:anr_data_file:s0
+/data/app(/.*)? u:object_r:apk_data_file:s0
+/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
+/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
+/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
+/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/media(/.*)? u:object_r:media_rw_data_file:s0
+/data/mediadrm(/.*)? u:object_r:media_data_file:s0
+/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
+/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
+/data/property(/.*)? u:object_r:property_data_file:s0
+/data/preloads(/.*)? u:object_r:preloads_data_file:s0
+/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
+/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
+
+# Misc data
+/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
+/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
+/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
+/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
+/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
+/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
+/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
+/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
+/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
+/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
+/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
+/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
+/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
+/data/misc/media(/.*)? u:object_r:media_data_file:s0
+/data/misc/net(/.*)? u:object_r:net_data_file:s0
+/data/misc/reboot(/.*)? u:object_r:reboot_data_file:s0
+/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
+/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
+/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
+/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
+/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
+/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
+/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
+/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
+/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
+/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
+/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+
+# Fingerprint data
+/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+
+# Bootchart data
+/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+
+#############################
+# Expanded data files
+#
+/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
+/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
+
+# coredump directory for userdebug/eng devices
+/cores(/.*)? u:object_r:coredump_file:s0
+
+# Wallpaper files
+/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
+
+# Ringtone files
+/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
+
+# ShortcutManager icons, e.g.
+# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
+/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
+
+# User icon files
+/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
+
+#############################
+# efs files
+#
+/efs(/.*)? u:object_r:efs_file:s0
+
+#############################
+# Cache files
+#
+/cache(/.*)? u:object_r:cache_file:s0
+/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+/data/cache(/.*)? u:object_r:cache_file:s0
+/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+#############################
+# sysfs files
+#
+/sys/class/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
+/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
+/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
+/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
+/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
+/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
+/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
+/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
+/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
+/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+/sys/devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+
+#############################
+# debugfs files
+#
+/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
+
+#############################
+# tracefs files
+#
+/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0
+/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
+
+###########################################
+# debug-only tracing
+#
+/sys/kernel/debug/tracing/events/sync/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/regulator/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:tracing_shell_writable_debug:s0
+
+/sys/kernel/debug/tracing/events/irq/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ipi/enable u:object_r:tracing_shell_writable_debug:s0
+
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
+
+#############################
+# asec containers
+/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
+/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
+/data/app-asec(/.*)? u:object_r:asec_image_file:s0
+
+#############################
+# external storage
+/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
+/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/runtime(/.*)? u:object_r:storage_file:s0
+/storage(/.*)? u:object_r:storage_file:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
new file mode 100644
index 0000000..d35cd3c
--- /dev/null
+++ b/private/file_contexts_asan
@@ -0,0 +1,5 @@
+/data/asan/system/lib(/.*)? u:object_r:system_file:s0
+/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
+/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
+/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
+/system/bin/asan_extract u:object_r:asan_extract_exec:s0
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
new file mode 100644
index 0000000..0c1dfaa
--- /dev/null
+++ b/private/fingerprintd.te
@@ -0,0 +1,4 @@
+typeattribute fingerprintd coredomain;
+typeattribute fingerprintd domain_deprecated;
+
+init_daemon_domain(fingerprintd)
diff --git a/fs_use b/private/fs_use
similarity index 100%
rename from fs_use
rename to private/fs_use
diff --git a/private/fsck.te b/private/fsck.te
new file mode 100644
index 0000000..e846797
--- /dev/null
+++ b/private/fsck.te
@@ -0,0 +1,4 @@
+typeattribute fsck coredomain;
+typeattribute fsck domain_deprecated;
+
+init_daemon_domain(fsck)
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
new file mode 100644
index 0000000..2a1a39f
--- /dev/null
+++ b/private/fsck_untrusted.te
@@ -0,0 +1,2 @@
+typeattribute fsck_untrusted coredomain;
+typeattribute fsck_untrusted domain_deprecated;
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
new file mode 100644
index 0000000..5e4d0a2
--- /dev/null
+++ b/private/gatekeeperd.te
@@ -0,0 +1,3 @@
+typeattribute gatekeeperd coredomain;
+
+init_daemon_domain(gatekeeperd)
diff --git a/genfs_contexts b/private/genfs_contexts
similarity index 71%
rename from genfs_contexts
rename to private/genfs_contexts
index 31794a1..c2cfa2c 100644
--- a/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,11 +2,17 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /softirqs u:object_r:proc_timer:s0
+genfscon proc /stat u:object_r:proc_stat:s0
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
@@ -17,14 +23,24 @@
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /timer_list u:object_r:proc_timer:s0
+genfscon proc /timer_stats u:object_r:proc_timer:s0
+genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
+genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
new file mode 100644
index 0000000..49ef178
--- /dev/null
+++ b/private/hal_allocator_default.te
@@ -0,0 +1,5 @@
+type hal_allocator_default, domain, coredomain;
+hal_server_domain(hal_allocator_default, hal_allocator)
+
+type hal_allocator_default_exec, exec_type, file_type;
+init_daemon_domain(hal_allocator_default)
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
new file mode 100644
index 0000000..9dcd3ee
--- /dev/null
+++ b/private/halclientdomain.te
@@ -0,0 +1,13 @@
+###
+### Rules for all domains which are clients of a HAL
+###
+
+# Find out whether a HAL in passthrough/in-process mode or
+# binderized/out-of-process mode
+hwbinder_use(halclientdomain)
+
+# Used to wait for hwservicemanager
+get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/private/halserverdomain.te b/private/halserverdomain.te
new file mode 100644
index 0000000..f36e0e7
--- /dev/null
+++ b/private/halserverdomain.te
@@ -0,0 +1,12 @@
+###
+### Rules for all domains which offer a HAL service over HwBinder
+###
+
+# Register the HAL service with hwservicemanager
+hwbinder_use(halserverdomain)
+
+# Find HAL implementations
+allow halserverdomain system_file:dir r_dir_perms;
+
+# Used to wait for hwservicemanager
+get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/private/healthd.te b/private/healthd.te
new file mode 100644
index 0000000..0693a3a
--- /dev/null
+++ b/private/healthd.te
@@ -0,0 +1,6 @@
+typeattribute healthd coredomain;
+
+init_daemon_domain(healthd)
+
+# Allow callback to storaged batteryproperties listener
+binder_call(healthd, storaged)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
new file mode 100644
index 0000000..35c95ce
--- /dev/null
+++ b/private/hwservice_contexts
@@ -0,0 +1,50 @@
+android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
+android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
+android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
new file mode 100644
index 0000000..a43eb02
--- /dev/null
+++ b/private/hwservicemanager.te
@@ -0,0 +1,6 @@
+typeattribute hwservicemanager coredomain;
+
+init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/private/idmap.te b/private/idmap.te
new file mode 100644
index 0000000..73abf35
--- /dev/null
+++ b/private/idmap.te
@@ -0,0 +1 @@
+typeattribute idmap coredomain;
diff --git a/private/incident.te b/private/incident.te
new file mode 100644
index 0000000..b910dde
--- /dev/null
+++ b/private/incident.te
@@ -0,0 +1,25 @@
+typeattribute incident coredomain;
+
+type incident_exec, exec_type, file_type;
+
+# switch to incident domain for incident command
+domain_auto_trans(shell, incident_exec, incident)
+
+# allow incident access to stdout from its parent shell.
+allow incident shell:fd use;
+
+# allow incident to communicate use, read and write over the adb
+# connection.
+allow incident adbd:fd use;
+allow incident adbd:unix_stream_socket { read write };
+
+# allow adbd to reap incident
+allow incident adbd:process { sigchld };
+
+# Allow the incident command to talk to the incidentd over the binder, and get
+# back the incident report data from a ParcelFileDescriptor.
+binder_use(incident)
+allow incident incident_service:service_manager find;
+binder_call(incident, incidentd)
+allow incident incidentd:fifo_file write;
+
diff --git a/private/incidentd.te b/private/incidentd.te
new file mode 100644
index 0000000..efd23bd
--- /dev/null
+++ b/private/incidentd.te
@@ -0,0 +1,110 @@
+typeattribute incidentd coredomain;
+
+init_daemon_domain(incidentd)
+type incidentd_exec, exec_type, file_type;
+binder_use(incidentd)
+wakelock_use(incidentd)
+
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+# TODO allow incidentd self:capability { setuid setgid sys_resource };
+
+# Allow incidentd to scan through /proc/pid for all processes
+r_dir_file(incidentd, domain)
+
+allow incidentd self:capability {
+ # Send signals to processes
+ kill
+};
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow incidentd system_file:file execute_no_trans;
+allow incidentd toolbox_exec:file rx_file_perms;
+
+# Create and write into /data/misc/incidents
+allow incidentd incident_data_file:dir rw_dir_perms;
+allow incidentd incident_data_file:file create_file_perms;
+
+# Get process attributes
+# TODO allow incidentd domain:process getattr;
+
+# Signal java processes to dump their stack and get the results
+# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
+# TODO allow incidentd anr_data_file:dir rw_dir_perms;
+# TODO allow incidentd anr_data_file:file create_file_perms;
+
+# Signal native processes to dump their stack.
+# This list comes from native_processes_to_dump in incidentd/utils.c
+allow incidentd {
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediacodec
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ sdcardd
+ surfaceflinger
+}:process signal;
+
+# Allow incidentd to make binder calls to any binder service
+binder_call(incidentd, binderservicedomain)
+binder_call(incidentd, appdomain)
+
+# Reading /proc/PID/maps of other processes
+# TODO allow incidentd self:capability sys_ptrace;
+
+# Run a shell.
+allow incidentd shell_exec:file rx_file_perms;
+
+# logd access - work to be done is a PII safe log (possibly an event log?)
+# TODO read_logd(incidentd)
+# TODO control_logd(incidentd)
+
+# Allow incidentd to find these standard groups of services.
+# Others can be whitelisted individually.
+allow incidentd {
+ system_server_service
+ app_api_service
+ system_api_service
+}:service_manager find;
+
+# Only incidentd can publish the binder service
+add_service(incidentd, incident_service)
+
+# Allow pipes from (and only from) incident
+allow incidentd incident:fd use;
+allow incidentd incident:fifo_file write;
+
+# Allow incident to call back to incident with status updates.
+binder_call(incidentd, incident)
+
+###
+### neverallow rules
+###
+
+# only system_server, system_app and incident command can find the incident service
+neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+
+# only incidentd and the other root services in limited circumstances
+# can get to the files in /data/misc/incidents
+#
+# write, execute, append are forbidden almost everywhere
+neverallow { domain -incidentd -init -vold } incident_data_file:file {
+ w_file_perms
+ x_file_perms
+ create
+ rename
+ setattr
+ unlink
+ append
+};
+# read is also allowed by system_server, for when the file is handed to dropbox
+neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
+# limited access to the directory itself
+neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
+
diff --git a/private/init.te b/private/init.te
new file mode 100644
index 0000000..f84d87e
--- /dev/null
+++ b/private/init.te
@@ -0,0 +1,26 @@
+typeattribute init coredomain;
+
+tmpfs_domain(init)
+
+# Transitions to seclabel processes in init.rc
+domain_trans(init, rootfs, adbd)
+domain_trans(init, rootfs, charger)
+domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
+recovery_only(`
+ domain_trans(init, rootfs, recovery)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, watchdogd)
+domain_trans(init, rootfs, modprobe)
+domain_trans(init, toolbox_exec, modprobe)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+ domain_auto_trans(init, logcat_exec, logpersist)
+')
+
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit init sysfs:dir write;
diff --git a/initial_sid_contexts b/private/initial_sid_contexts
similarity index 100%
rename from initial_sid_contexts
rename to private/initial_sid_contexts
diff --git a/initial_sids b/private/initial_sids
similarity index 100%
rename from initial_sids
rename to private/initial_sids
diff --git a/private/inputflinger.te b/private/inputflinger.te
new file mode 100644
index 0000000..9696b49
--- /dev/null
+++ b/private/inputflinger.te
@@ -0,0 +1,3 @@
+typeattribute inputflinger coredomain;
+
+init_daemon_domain(inputflinger)
diff --git a/private/install_recovery.te b/private/install_recovery.te
new file mode 100644
index 0000000..b79d683
--- /dev/null
+++ b/private/install_recovery.te
@@ -0,0 +1,3 @@
+typeattribute install_recovery coredomain;
+
+init_daemon_domain(install_recovery)
diff --git a/private/installd.te b/private/installd.te
new file mode 100644
index 0000000..d726e7d
--- /dev/null
+++ b/private/installd.te
@@ -0,0 +1,19 @@
+typeattribute installd coredomain;
+typeattribute installd domain_deprecated;
+
+init_daemon_domain(installd)
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
+
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
+
+# Create /data/.layout_version.* file
+type_transition installd system_data_file:file install_data_file;
diff --git a/private/isolated_app.te b/private/isolated_app.te
new file mode 100644
index 0000000..418a322
--- /dev/null
+++ b/private/isolated_app.te
@@ -0,0 +1,93 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+typeattribute isolated_app coredomain;
+
+app_domain(isolated_app)
+
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_app app_data_file:file { append read write getattr lock };
+
+allow isolated_app activity_service:service_manager find;
+allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;
+
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_app self:process ptrace;
+
+# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
+# by other processes. Open should never be allowed, and is blocked by
+# neverallow rules below.
+# TODO: consider removing write/append. We want to limit isolated_apps
+# ability to mutate files of any type.
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
+
+# For webviews, isolated_app processes can be forked from the webview_zygote
+# in addition to the zygote. Allow access to resources inherited from the
+# webview_zygote process. These rules are specialized copies of the ones in app.te.
+# Inherit FDs from the webview_zygote.
+allow isolated_app webview_zygote:fd use;
+# Notify webview_zygote of child death.
+allow isolated_app webview_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app webview_zygote:unix_dgram_socket write;
+# Read system properties managed by webview_zygote.
+allow isolated_app webview_zygote_tmpfs:file read;
+
+#####
+##### Neverallow
+#####
+
+# Do not allow isolated_app to directly open tun_device
+neverallow isolated_app tun_device:chr_file open;
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app app_data_file:file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app anr_data_file:file ~{ open append };
+neverallow isolated_app anr_data_file:dir ~search;
+
+# b/17487348
+# Isolated apps can only access three services,
+# activity_service, display_service and webviewupdate_service.
+neverallow isolated_app {
+ service_manager_type
+ -activity_service
+ -display_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_app access to /cache
+neverallow isolated_app cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app cache_file:file ~{ read getattr };
+
+# Do not allow isolated_app to access external storage, except for files passed
+# via file descriptors (b/32896414).
+neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
+neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+
+# Do not allow USB access
+neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_app webview_zygote_socket:sock_file write;
diff --git a/private/kernel.te b/private/kernel.te
new file mode 100644
index 0000000..a4e6ebe
--- /dev/null
+++ b/private/kernel.te
@@ -0,0 +1,3 @@
+typeattribute kernel coredomain;
+
+domain_auto_trans(kernel, init_exec, init)
diff --git a/keys.conf b/private/keys.conf
similarity index 100%
rename from keys.conf
rename to private/keys.conf
diff --git a/private/keystore.te b/private/keystore.te
new file mode 100644
index 0000000..1e56338
--- /dev/null
+++ b/private/keystore.te
@@ -0,0 +1,11 @@
+typeattribute keystore coredomain;
+typeattribute keystore domain_deprecated;
+
+init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/private/lmkd.te b/private/lmkd.te
new file mode 100644
index 0000000..a07ce87
--- /dev/null
+++ b/private/lmkd.te
@@ -0,0 +1,3 @@
+typeattribute lmkd coredomain;
+
+init_daemon_domain(lmkd)
diff --git a/private/logd.te b/private/logd.te
new file mode 100644
index 0000000..4338e40
--- /dev/null
+++ b/private/logd.te
@@ -0,0 +1,39 @@
+typeattribute logd coredomain;
+
+init_daemon_domain(logd)
+
+# logd is not allowed to write anywhere other than /data/misc/logd, and then
+# only on userdebug or eng builds
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow logd {
+ file_type
+ -logd_tmpfs
+ -runtime_event_log_tags_file
+ userdebug_or_eng(`-coredump_file -misc_logd_file')
+}:file { create write append };
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -appdomain # covered below
+ -bootstat
+ -dumpstate
+ -init
+ -logd
+ userdebug_or_eng(`-logpersist')
+ -servicemanager
+ -system_server
+ -surfaceflinger
+ -zygote
+} runtime_event_log_tags_file:file no_rw_file_perms;
+
+neverallow {
+ appdomain
+ -bluetooth
+ -platform_app
+ -priv_app
+ -radio
+ -shell
+ userdebug_or_eng(`-su')
+ -system_app
+} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/private/logpersist.te b/private/logpersist.te
new file mode 100644
index 0000000..70e3198
--- /dev/null
+++ b/private/logpersist.te
@@ -0,0 +1,24 @@
+typeattribute logpersist coredomain;
+
+# android debug log storage in logpersist domains (eng and userdebug only)
+userdebug_or_eng(`
+
+ r_dir_file(logpersist, cgroup)
+
+ allow logpersist misc_logd_file:file create_file_perms;
+ allow logpersist misc_logd_file:dir rw_dir_perms;
+
+ allow logpersist self:capability sys_nice;
+ allow logpersist pstorefs:dir search;
+ allow logpersist pstorefs:file r_file_perms;
+
+ control_logd(logpersist)
+ unix_socket_connect(logpersist, logdr, logd)
+ read_runtime_log_tags(logpersist)
+
+')
+
+# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
+neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/mac_permissions.xml b/private/mac_permissions.xml
similarity index 93%
rename from mac_permissions.xml
rename to private/mac_permissions.xml
index 87efe0e..1fcd2a4 100644
--- a/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -51,4 +51,9 @@
<seinfo value="platform" />
</signer>
+ <!-- Media key in AOSP -->
+ <signer signature="@MEDIA" >
+ <seinfo value="media" />
+ </signer>
+
</policy>
diff --git a/mdnsd.te b/private/mdnsd.te
similarity index 66%
rename from mdnsd.te
rename to private/mdnsd.te
index a9dc7c5..96259e2 100644
--- a/mdnsd.te
+++ b/private/mdnsd.te
@@ -1,8 +1,11 @@
# mdns daemon
-type mdnsd, domain, mlstrustedsubject;
-type mdnsd_exec, exec_type, file_type;
+typeattribute mdnsd coredomain;
+typeattribute mdnsd mlstrustedsubject;
+
+type mdnsd_exec, exec_type, file_type;
init_daemon_domain(mdnsd)
+
net_domain(mdnsd)
# Read from /proc/net
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
new file mode 100644
index 0000000..4e511a8
--- /dev/null
+++ b/private/mediadrmserver.te
@@ -0,0 +1,8 @@
+typeattribute mediadrmserver coredomain;
+
+init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
new file mode 100644
index 0000000..c1a8521
--- /dev/null
+++ b/private/mediaextractor.te
@@ -0,0 +1,3 @@
+typeattribute mediaextractor coredomain;
+
+init_daemon_domain(mediaextractor)
diff --git a/private/mediametrics.te b/private/mediametrics.te
new file mode 100644
index 0000000..f8b2fa5
--- /dev/null
+++ b/private/mediametrics.te
@@ -0,0 +1,3 @@
+typeattribute mediametrics coredomain;
+
+init_daemon_domain(mediametrics)
diff --git a/private/mediaserver.te b/private/mediaserver.te
new file mode 100644
index 0000000..a9b85be
--- /dev/null
+++ b/private/mediaserver.te
@@ -0,0 +1,10 @@
+typeattribute mediaserver coredomain;
+
+init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/mls b/private/mls
similarity index 93%
rename from mls
rename to private/mls
index 5589b4b..a561de1 100644
--- a/mls
+++ b/private/mls
@@ -1,15 +1,3 @@
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-gen_sens(mls_num_sens)
-gen_cats(mls_num_cats)
-
-# Generate level definitions for each sensitivity and category.
-gen_levels(mls_num_sens,mls_num_cats)
-
-
#################################################
# MLS policy constraints
#
diff --git a/private/mls_decl b/private/mls_decl
new file mode 100644
index 0000000..dd53bea
--- /dev/null
+++ b/private/mls_decl
@@ -0,0 +1,10 @@
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+gen_sens(mls_num_sens)
+gen_cats(mls_num_cats)
+
+# Generate level definitions for each sensitivity and category.
+gen_levels(mls_num_sens,mls_num_cats)
diff --git a/mls_macros b/private/mls_macros
similarity index 100%
rename from mls_macros
rename to private/mls_macros
diff --git a/private/modprobe.te b/private/modprobe.te
new file mode 100644
index 0000000..9858675
--- /dev/null
+++ b/private/modprobe.te
@@ -0,0 +1 @@
+typeattribute modprobe coredomain;
diff --git a/private/mtp.te b/private/mtp.te
new file mode 100644
index 0000000..3cfda0b
--- /dev/null
+++ b/private/mtp.te
@@ -0,0 +1,4 @@
+typeattribute mtp coredomain;
+typeattribute mtp domain_deprecated;
+
+init_daemon_domain(mtp)
diff --git a/net.te b/private/net.te
similarity index 72%
rename from net.te
rename to private/net.te
index 4616eb1..f16daf9 100644
--- a/net.te
+++ b/private/net.te
@@ -1,7 +1,6 @@
-# Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
+###
+### Domain with network access
+###
# Use network sockets.
allow netdomain self:tcp_socket create_stream_socket_perms;
@@ -9,9 +8,9 @@
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# Bind to ports.
-allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
diff --git a/private/netd.te b/private/netd.te
new file mode 100644
index 0000000..3a824af
--- /dev/null
+++ b/private/netd.te
@@ -0,0 +1,10 @@
+typeattribute netd coredomain;
+typeattribute netd domain_deprecated;
+
+init_daemon_domain(netd)
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+
+# Allow netd to start clatd in its own domain
+domain_auto_trans(netd, clatd_exec, clatd)
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
new file mode 100644
index 0000000..f7fe32a
--- /dev/null
+++ b/private/netutils_wrapper.te
@@ -0,0 +1,28 @@
+typeattribute netutils_wrapper coredomain;
+
+r_dir_file(netutils_wrapper, system_file);
+
+# For netutils (ip, iptables, tc)
+allow netutils_wrapper self:capability net_raw;
+
+allow netutils_wrapper system_file:file { execute execute_no_trans };
+allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper self:rawip_socket create_socket_perms;
+allow netutils_wrapper self:udp_socket create_socket_perms;
+allow netutils_wrapper self:capability net_admin;
+# ip utils need everything but ioctl
+allow netutils_wrapper self:netlink_route_socket ~ioctl;
+allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
+
+# For netutils (ndc) to be able to talk to netd
+allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
+allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+
+# For /data/misc/net access to ndc and ip
+r_dir_file(netutils_wrapper, net_data_file)
+
+domain_auto_trans({
+ domain
+ -coredomain
+ -appdomain
+}, netutils_wrapper_exec, netutils_wrapper)
diff --git a/nfc.te b/private/nfc.te
similarity index 70%
rename from nfc.te
rename to private/nfc.te
index fc7e167..25ad702 100644
--- a/nfc.te
+++ b/private/nfc.te
@@ -1,33 +1,25 @@
# nfc subsystem
-type nfc, domain, domain_deprecated;
+typeattribute nfc coredomain;
app_domain(nfc)
net_domain(nfc)
+
binder_service(nfc)
+add_service(nfc, nfc_service)
-# Set NFC properties
-set_prop(nfc, nfc_prop)
-
-# NFC device access.
-allow nfc nfc_device:chr_file rw_file_perms;
+hal_client_domain(nfc, hal_nfc)
# Data file accesses.
allow nfc nfc_data_file:dir create_dir_perms;
allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-allow nfc sysfs_nfc_power_writable:file rw_file_perms;
-allow nfc sysfs:file write;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow nfc sysfs_usb:file write;
-
# SoundPool loading and playback
allow nfc audioserver_service:service_manager find;
allow nfc drmserver_service:service_manager find;
allow nfc mediacodec_service:service_manager find;
+allow nfc mediametrics_service:service_manager find;
allow nfc mediaextractor_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
-allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
allow nfc surfaceflinger_service:service_manager find;
allow nfc app_api_service:service_manager find;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
new file mode 100644
index 0000000..1f69931
--- /dev/null
+++ b/private/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+typeattribute otapreopt_chroot coredomain;
+
+# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
+domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
new file mode 100644
index 0000000..98b93d4
--- /dev/null
+++ b/private/otapreopt_slot.te
@@ -0,0 +1,5 @@
+typeattribute otapreopt_slot coredomain;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(otapreopt_slot)
diff --git a/private/performanced.te b/private/performanced.te
new file mode 100644
index 0000000..792826e
--- /dev/null
+++ b/private/performanced.te
@@ -0,0 +1,3 @@
+typeattribute performanced coredomain;
+
+init_daemon_domain(performanced)
diff --git a/private/perfprofd.te b/private/perfprofd.te
new file mode 100644
index 0000000..a655f1d
--- /dev/null
+++ b/private/perfprofd.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+ typeattribute perfprofd coredomain;
+ typeattribute perfprofd domain_deprecated;
+ init_daemon_domain(perfprofd)
+')
diff --git a/platform_app.te b/private/platform_app.te
similarity index 78%
rename from platform_app.te
rename to private/platform_app.te
index d4a27ad..fd4634a 100644
--- a/platform_app.te
+++ b/private/platform_app.te
@@ -2,8 +2,11 @@
### Apps signed with the platform key.
###
-type platform_app, domain, domain_deprecated;
+typeattribute platform_app coredomain;
+typeattribute platform_app domain_deprecated;
+
app_domain(platform_app)
+
# Access the network.
net_domain(platform_app)
# Access bluetooth.
@@ -26,12 +29,8 @@
allow platform_app media_rw_data_file:file create_file_perms;
# Write to /cache.
-allow platform_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow platform_app { cache_file cache_recovery_file }:file create_file_perms;
-
-# Likely not needed
-auditallow platform_app cache_recovery_file:dir create_dir_perms;
-auditallow platform_app cache_recovery_file:file create_file_perms;
+allow platform_app cache_file:dir create_dir_perms;
+allow platform_app cache_file:file create_file_perms;
# Direct access to vold-mounted storage under /mnt/media_rw
# This is a performance optimization that allows platform apps to bypass the FUSE layer
@@ -43,9 +42,11 @@
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediametrics_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
allow platform_app mediacodec_service:service_manager find;
allow platform_app mediadrmserver_service:service_manager find;
+allow platform_app mediacasserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
@@ -56,3 +57,14 @@
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
allow platform_app preloads_data_file:dir r_dir_perms;
+allow platform_app preloads_media_file:file r_file_perms;
+allow platform_app preloads_media_file:dir r_dir_perms;
+
+read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/private/policy_capabilities b/private/policy_capabilities
new file mode 100644
index 0000000..ab55c15
--- /dev/null
+++ b/private/policy_capabilities
@@ -0,0 +1,13 @@
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;
+
+# Enable separate security classes for
+# all network address families previously
+# mapped to the socket class and for
+# ICMP and SCTP sockets previously mapped
+# to the rawip_socket class.
+policycap extended_socket_class;
+
diff --git a/port_contexts b/private/port_contexts
similarity index 100%
rename from port_contexts
rename to private/port_contexts
diff --git a/private/postinstall.te b/private/postinstall.te
new file mode 100644
index 0000000..363e362
--- /dev/null
+++ b/private/postinstall.te
@@ -0,0 +1,3 @@
+typeattribute postinstall coredomain;
+
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
new file mode 100644
index 0000000..ff5fe87
--- /dev/null
+++ b/private/postinstall_dexopt.te
@@ -0,0 +1,5 @@
+typeattribute postinstall_dexopt coredomain;
+
+# Run dex2oat/patchoat in its own sandbox.
+# We have to manually transition, as we don't have an entrypoint.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/private/ppp.te b/private/ppp.te
new file mode 100644
index 0000000..9b301f4
--- /dev/null
+++ b/private/ppp.te
@@ -0,0 +1,4 @@
+typeattribute ppp coredomain;
+typeattribute ppp domain_deprecated;
+
+domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/preopt2cachename.te b/private/preopt2cachename.te
new file mode 100644
index 0000000..d10f767
--- /dev/null
+++ b/private/preopt2cachename.te
@@ -0,0 +1 @@
+typeattribute preopt2cachename coredomain;
diff --git a/priv_app.te b/private/priv_app.te
similarity index 77%
rename from priv_app.te
rename to private/priv_app.te
index 85516a6..065ea1a 100644
--- a/priv_app.te
+++ b/private/priv_app.te
@@ -1,35 +1,37 @@
###
### A domain for further sandboxing privileged apps.
###
-type priv_app, domain, domain_deprecated;
+
+typeattribute priv_app coredomain;
app_domain(priv_app)
+
# Access the network.
net_domain(priv_app)
# Access bluetooth.
bluetooth_domain(priv_app)
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow priv_app self:process ptrace;
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow priv_app app_data_file:file rx_file_perms;
-
-# android.process.media uses /dev/mtp_usb
-allow priv_app mtp_device:chr_file rw_file_perms;
-
# Allow the allocation and use of ptys
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
create_pty(priv_app)
+# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
+allow priv_app self:process ptrace;
+
+# Some apps ship with shared libraries that they write out
+# to their sandbox directory and then dlopen().
+allow priv_app app_data_file:file execute;
+
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
allow priv_app mediacodec_service:service_manager find;
+allow priv_app mediametrics_service:service_manager find;
allow priv_app mediadrmserver_service:service_manager find;
+allow priv_app mediacasserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
allow priv_app nfc_service:service_manager find;
+allow priv_app oem_lock_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app surfaceflinger_service:service_manager find;
allow priv_app app_api_service:service_manager find;
@@ -37,13 +39,11 @@
allow priv_app persistent_data_block_service:service_manager find;
allow priv_app recovery_service:service_manager find;
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow priv_app mnt_media_rw_file:dir search;
-
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow priv_app cache_file:lnk_file r_file_perms;
# Write to /data/ota_package for OTA packages.
allow priv_app ota_package_file:dir rw_dir_perms;
@@ -73,18 +73,17 @@
allow priv_app perfprofd_data_file:dir r_dir_perms;
')
-# Allow GMS core to scan executables on the system partition
-allow priv_app exec_type:file { getattr read open };
-
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
-allow priv_app app_fuse_file:dir rw_dir_perms;
-allow priv_app app_fuse_file:file rw_file_perms;
-# /sys access
-allow priv_app sysfs_zram:dir search;
-allow priv_app sysfs_zram:file r_file_perms;
+# /sys and /proc access
+r_dir_file(priv_app, sysfs_type)
+r_dir_file(priv_app, proc)
+r_dir_file(priv_app, rootfs)
+
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow priv_app config_gz:file { open read getattr };
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
@@ -93,12 +92,37 @@
binder_call(priv_app, update_engine)
allow priv_app update_engine_service:service_manager find;
+# Allow GMS core to communicate with dumpsys storaged.
+binder_call(priv_app, storaged)
+allow priv_app storaged_service:service_manager find;
+
# Allow Phone to read/write cached ringtones (opened by system).
allow priv_app ringtone_file:file { getattr read write };
# Access to /data/preloads
allow priv_app preloads_data_file:file r_file_perms;
allow priv_app preloads_data_file:dir r_dir_perms;
+allow priv_app preloads_media_file:file r_file_perms;
+allow priv_app preloads_media_file:dir r_dir_perms;
+
+# TODO: revert this as part of fixing 33574909
+# android.process.media uses /dev/mtp_usb
+allow priv_app mtp_device:chr_file rw_file_perms;
+
+# TODO: revert this as part of fixing 33574909
+# MtpServer uses /dev/usb-ffs/mtp
+allow priv_app functionfs:dir search;
+allow priv_app functionfs:file rw_file_perms;
+
+# TODO: revert this as part of fixing 33574909
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow priv_app mnt_media_rw_file:dir search;
+
+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
+read_runtime_log_tags(priv_app)
###
### neverallow rules
diff --git a/private/profman.te b/private/profman.te
new file mode 100644
index 0000000..f61d05e
--- /dev/null
+++ b/private/profman.te
@@ -0,0 +1 @@
+typeattribute profman coredomain;
diff --git a/property_contexts b/private/property_contexts
similarity index 81%
rename from property_contexts
rename to private/property_contexts
index 4368a98..4c27b35 100644
--- a/property_contexts
+++ b/private/property_contexts
@@ -8,7 +8,7 @@
net.qmi u:object_r:net_radio_prop:s0
net.lte u:object_r:net_radio_prop:s0
net.cdma u:object_r:net_radio_prop:s0
-net.dns u:object_r:net_radio_prop:s0
+net.dns u:object_r:net_dns_prop:s0
sys.usb.config u:object_r:system_radio_prop:s0
ril. u:object_r:radio_prop:s0
ro.ril. u:object_r:radio_prop:s0
@@ -18,6 +18,7 @@
net. u:object_r:system_prop:s0
dev. u:object_r:system_prop:s0
ro.runtime. u:object_r:system_prop:s0
+ro.runtime.firstboot u:object_r:firstboot_prop:s0
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
@@ -25,7 +26,6 @@
sys.powerctl u:object_r:powerctl_prop:s0
sys.usb.ffs. u:object_r:ffs_prop:s0
service. u:object_r:system_prop:s0
-wlan. u:object_r:system_prop:s0
dhcp. u:object_r:dhcp_prop:s0
dhcp.bt-pan.result u:object_r:pan_result_prop:s0
bluetooth. u:object_r:bluetooth_prop:s0
@@ -33,6 +33,7 @@
debug. u:object_r:debug_prop:s0
debug.db. u:object_r:debuggerd_prop:s0
dumpstate. u:object_r:dumpstate_prop:s0
+dumpstate.options u:object_r:dumpstate_options_prop:s0
log. u:object_r:log_prop:s0
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
@@ -41,6 +42,7 @@
service.adb.tcp.port u:object_r:shell_prop:s0
persist.audio. u:object_r:audio_prop:s0
+persist.bluetooth. u:object_r:bluetooth_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
@@ -55,6 +57,13 @@
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
+persist.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boottime. u:object_r:boottime_prop:s0
+ro.serialno u:object_r:serialno_prop:s0
+ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
+ro.boot.serialno u:object_r:serialno_prop:s0
+ro.bt. u:object_r:bluetooth_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
@@ -62,7 +71,6 @@
# selinux non-persistent properties
selinux.restorecon_recursive u:object_r:restorecon_prop:s0
-selinux. u:object_r:security_prop:s0
# default property context
* u:object_r:default_prop:s0
@@ -75,6 +83,8 @@
# set at runtime by system_server.
ro.build.fingerprint u:object_r:fingerprint_prop:s0
+ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
+
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
@@ -95,3 +105,12 @@
ro.config. u:object_r:config_prop:s0
dalvik. u:object_r:dalvik_prop:s0
ro.dalvik. u:object_r:dalvik_prop:s0
+
+# Shared between system server and wificond
+wlan. u:object_r:wifi_prop:s0
+
+# hwservicemanager properties
+hwservicemanager. u:object_r:hwservicemanager_prop:s0
+
+# ASAN install trigger
+asan.restore_reboot u:object_r:asan_reboot_prop:s0
diff --git a/private/racoon.te b/private/racoon.te
new file mode 100644
index 0000000..42ea7c9
--- /dev/null
+++ b/private/racoon.te
@@ -0,0 +1,3 @@
+typeattribute racoon coredomain;
+
+init_daemon_domain(racoon)
diff --git a/private/radio.te b/private/radio.te
new file mode 100644
index 0000000..83b5b41
--- /dev/null
+++ b/private/radio.te
@@ -0,0 +1,6 @@
+typeattribute radio coredomain;
+typeattribute radio domain_deprecated;
+
+app_domain(radio)
+
+read_runtime_log_tags(radio)
diff --git a/private/recovery.te b/private/recovery.te
new file mode 100644
index 0000000..b7b2847
--- /dev/null
+++ b/private/recovery.te
@@ -0,0 +1,2 @@
+typeattribute recovery coredomain;
+typeattribute recovery domain_deprecated;
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
new file mode 100644
index 0000000..1fdd758
--- /dev/null
+++ b/private/recovery_persist.te
@@ -0,0 +1,7 @@
+typeattribute recovery_persist coredomain;
+
+init_daemon_domain(recovery_persist)
+
+# recovery_persist is not allowed to write anywhere other than recovery_data_file
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
new file mode 100644
index 0000000..327098d
--- /dev/null
+++ b/private/recovery_refresh.te
@@ -0,0 +1,7 @@
+typeattribute recovery_refresh coredomain;
+
+init_daemon_domain(recovery_refresh)
+
+# recovery_refresh is not allowed to write anywhere
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/private/roles_decl b/private/roles_decl
new file mode 100644
index 0000000..c84fcba
--- /dev/null
+++ b/private/roles_decl
@@ -0,0 +1 @@
+role r;
diff --git a/private/runas.te b/private/runas.te
new file mode 100644
index 0000000..73a91ff
--- /dev/null
+++ b/private/runas.te
@@ -0,0 +1,5 @@
+typeattribute runas coredomain;
+typeattribute runas domain_deprecated;
+
+# ndk-gdb invokes adb shell run-as.
+domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
new file mode 100644
index 0000000..ac6bb4e
--- /dev/null
+++ b/private/sdcardd.te
@@ -0,0 +1,4 @@
+typeattribute sdcardd coredomain;
+typeattribute sdcardd domain_deprecated;
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/seapp_contexts b/private/seapp_contexts
new file mode 100644
index 0000000..4356889
--- /dev/null
+++ b/private/seapp_contexts
@@ -0,0 +1,110 @@
+# Input selectors:
+# isSystemServer (boolean)
+# isEphemeralApp (boolean)
+# isV2App (boolean)
+# isOwner (boolean)
+# user (string)
+# seinfo (string)
+# name (string)
+# path (string)
+# isPrivApp (boolean)
+# minTargetSdkVersion (unsigned integer)
+# isSystemServer=true can only be used once.
+# An unspecified isSystemServer defaults to false.
+# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
+# isV2App=true will match apps in the v2 app sandbox.
+# isOwner=true will only match for the owner/primary user.
+# isOwner=false will only match for secondary users.
+# If unspecified, the entry can match either case.
+# An unspecified string selector will match any value.
+# A user string selector that ends in * will perform a prefix match.
+# user=_app will match any regular app UID.
+# user=_isolated will match any isolated service UID.
+# isPrivApp=true will only match for applications preinstalled in
+# /system/priv-app.
+# minTargetSdkVersion will match applications with a targetSdkVersion
+# greater than or equal to the specified value. If unspecified,
+# it has a default value of 0.
+# All specified input selectors in an entry must match (i.e. logical AND).
+# Matching is case-insensitive.
+#
+# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
+# (1) isSystemServer=true before isSystemServer=false.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
+# (3) Specified isV2App= before unspecified isV2App= boolean.
+# (4) Specified isOwner= before unspecified isOwner= boolean.
+# (5) Specified user= string before unspecified user= string.
+# (6) Fixed user= string before user= prefix (i.e. ending in *).
+# (7) Longer user= prefix before shorter user= prefix.
+# (8) Specified seinfo= string before unspecified seinfo= string.
+# ':' character is reserved and may not be used.
+# (9) Specified name= string before unspecified name= string.
+# (10) Specified path= string before unspecified path= string.
+# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
+# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
+#
+# Outputs:
+# domain (string)
+# type (string)
+# levelFrom (string; one of none, all, app, or user)
+# level (string)
+# Only entries that specify domain= will be used for app process labeling.
+# Only entries that specify type= will be used for app directory labeling.
+# levelFrom=user is only supported for _app or _isolated UIDs.
+# levelFrom=app or levelFrom=all is only supported for _app UIDs.
+# level may be used to specify a fixed level for any UID.
+#
+#
+# Neverallow Assertions
+# Additional compile time assertion checks can be added as well. The assertion
+# rules are lines beginning with the keyword neverallow. Full support for PCRE
+# regular expressions exists on all input and output selectors. Neverallow
+# rules are never output to the built seapp_contexts file. Like all keywords,
+# neverallows are case-insensitive. A neverallow is asserted when all key value
+# inputs are matched on a key value rule line.
+#
+
+# only the system server can be in system_server domain
+neverallow isSystemServer=false domain=system_server
+neverallow isSystemServer="" domain=system_server
+
+# system domains should never be assigned outside of system uid
+neverallow user=((?!system).)* domain=system_app
+neverallow user=((?!system).)* type=system_app_data_file
+
+# anything with a non-known uid with a specified name should have a specified seinfo
+neverallow user=_app name=.* seinfo=""
+neverallow user=_app name=.* seinfo=default
+
+# neverallow shared relro to any other domain
+# and neverallow any other uid into shared_relro
+neverallow user=shared_relro domain=((?!shared_relro).)*
+neverallow user=((?!shared_relro).)* domain=shared_relro
+
+# neverallow non-isolated uids into isolated_app domain
+# and vice versa
+neverallow user=_isolated domain=((?!isolated_app).)*
+neverallow user=((?!_isolated).)* domain=isolated_app
+
+# uid shell should always be in shell domain, however non-shell
+# uid's can be in shell domain
+neverallow user=shell domain=((?!shell).)*
+
+# Ephemeral Apps must run in the ephemeral_app domain
+neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
+
+isSystemServer=true domain=system_server
+user=system seinfo=platform domain=system_app type=system_app_data_file
+user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=radio seinfo=platform domain=radio type=radio_data_file
+user=shared_relro domain=shared_relro
+user=shell seinfo=platform domain=shell type=shell_data_file
+user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
+user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
+user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
+user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/security_classes b/private/security_classes
similarity index 68%
rename from security_classes
rename to private/security_classes
index 680d3dd..02e3ef2 100644
--- a/security_classes
+++ b/private/security_classes
@@ -45,13 +45,11 @@
# extended netlink sockets
class netlink_route_socket
-class netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
-class netlink_ip6fw_socket
class netlink_dnrt_socket
# IPSec association
@@ -94,17 +92,53 @@
class netlink_rdma_socket
class netlink_crypto_socket
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+
# Property service
class property_service # userspace
# Service manager
class service_manager # userspace
+# hardware service manager # userspace
+class hwservice_manager
+
# Keystore Key
class keystore_key # userspace
-# debuggerd service
-class debuggerd # userspace
-
class drmservice # userspace
# FLASK
diff --git a/service_contexts b/private/service_contexts
similarity index 85%
rename from service_contexts
rename to private/service_contexts
index fffbd4d..dc77cb9 100644
--- a/service_contexts
+++ b/private/service_contexts
@@ -9,6 +9,7 @@
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
audio u:object_r:audio_service:s0
+autofill u:object_r:autofill_service:s0
backup u:object_r:backup_service:s0
batteryproperties u:object_r:batteryproperties_service:s0
batterystats u:object_r:batterystats_service:s0
@@ -21,15 +22,18 @@
commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
+companiondevice u:object_r:companion_device_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
-contexthub_service u:object_r:contexthub_service:s0
+contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
+coverage u:object_r:coverage_service:s0
cpuinfo u:object_r:cpuinfo_service:s0
dbinfo u:object_r:dbinfo_service:s0
device_policy u:object_r:device_policy_service:s0
+device_identifiers u:object_r:device_identifiers_service:s0
deviceidle u:object_r:deviceidle_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
@@ -40,8 +44,11 @@
dreams u:object_r:dreams_service:s0
drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:dropbox_service:s0
+dumpstate u:object_r:dumpstate_service:s0
+econtroller u:object_r:radio_service:s0
ethernet u:object_r:ethernet_service:s0
fingerprint u:object_r:fingerprint_service:s0
+font u:object_r:font_service:s0
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
@@ -49,14 +56,17 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
+incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
+installd u:object_r:installd_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+ipsec u:object_r:ipsec_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
@@ -65,18 +75,21 @@
launcherapps u:object_r:launcherapps_service:s0
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
+media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
media.camera u:object_r:cameraserver_service:s0
media.camera.proxy u:object_r:cameraproxy_service:s0
media.log u:object_r:audioserver_service:s0
media.player u:object_r:mediaserver_service:s0
+media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.radio u:object_r:audioserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
+media.cas u:object_r:mediacasserver_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
@@ -92,7 +105,9 @@
network_time_update_service u:object_r:network_time_update_service:s0
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
+oem_lock u:object_r:oem_lock_service:s0
otadexopt u:object_r:otadexopt_service:s0
+overlay u:object_r:overlay_service:s0
package u:object_r:package_service:s0
permission u:object_r:permission_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
@@ -114,9 +129,11 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0
servicediscovery u:object_r:servicediscovery_service:s0
+settings u:object_r:settings_service:s0
shortcut u:object_r:shortcut_service:s0
simphonebook_msim u:object_r:radio_service:s0
simphonebook2 u:object_r:radio_service:s0
@@ -124,10 +141,13 @@
sip u:object_r:radio_service:s0
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
+storaged u:object_r:storaged_service:s0
+storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
telephony.registry u:object_r:registry_service:s0
+textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
@@ -137,12 +157,16 @@
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
vibrator u:object_r:vibrator_service:s0
+virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
+vr_hwc u:object_r:vr_hwc_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
wifi u:object_r:wifi_service:s0
+wificond u:object_r:wificond_service:s0
+wifiaware u:object_r:wifiaware_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
new file mode 100644
index 0000000..9f675a2
--- /dev/null
+++ b/private/servicemanager.te
@@ -0,0 +1,5 @@
+typeattribute servicemanager coredomain;
+
+init_daemon_domain(servicemanager)
+
+read_runtime_log_tags(servicemanager)
diff --git a/private/sgdisk.te b/private/sgdisk.te
new file mode 100644
index 0000000..a17342e
--- /dev/null
+++ b/private/sgdisk.te
@@ -0,0 +1 @@
+typeattribute sgdisk coredomain;
diff --git a/private/shared_relro.te b/private/shared_relro.te
new file mode 100644
index 0000000..8d06294
--- /dev/null
+++ b/private/shared_relro.te
@@ -0,0 +1,6 @@
+typeattribute shared_relro coredomain;
+typeattribute shared_relro domain_deprecated;
+
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
diff --git a/private/shell.te b/private/shell.te
new file mode 100644
index 0000000..fbd9676
--- /dev/null
+++ b/private/shell.te
@@ -0,0 +1,22 @@
+typeattribute shell coredomain;
+
+# systrace support - allow atrace to run
+allow shell debugfs_tracing:dir r_dir_perms;
+allow shell debugfs_tracing:file r_file_perms;
+allow shell tracing_shell_writable:file rw_file_perms;
+allow shell debugfs_trace_marker:file getattr;
+allow shell atrace_exec:file rx_file_perms;
+
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
+
+userdebug_or_eng(`
+ allow shell tracing_shell_writable_debug:file rw_file_perms;
+')
+
+# Run app_process.
+# XXX Transition into its own domain?
+app_domain(shell)
+
+# allow shell to call dumpsys storaged
+binder_call(shell, storaged)
diff --git a/private/slideshow.te b/private/slideshow.te
new file mode 100644
index 0000000..7dfa994
--- /dev/null
+++ b/private/slideshow.te
@@ -0,0 +1 @@
+typeattribute slideshow coredomain;
diff --git a/private/storaged.te b/private/storaged.te
new file mode 100644
index 0000000..96433b3
--- /dev/null
+++ b/private/storaged.te
@@ -0,0 +1,51 @@
+# storaged daemon
+type storaged, domain, coredomain, mlstrustedsubject;
+type storaged_exec, exec_type, file_type;
+
+init_daemon_domain(storaged)
+
+# Read access to pseudo filesystems
+r_dir_file(storaged, sysfs_type)
+r_dir_file(storaged, proc_net)
+r_dir_file(storaged, domain)
+
+# Read /proc/uid_io/stats
+allow storaged proc_uid_io_stats:file r_file_perms;
+
+# Read /data/system/packages.list
+allow storaged system_data_file:file r_file_perms;
+
+userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+')
+
+# Needed to provide debug dump output via dumpsys pipes.
+allow storaged shell:fd use;
+allow storaged shell:fifo_file write;
+
+# Needed for GMScore to call dumpsys storaged
+allow storaged priv_app:fd use;
+allow storaged app_data_file:file write;
+allow storaged permission_service:service_manager find;
+
+# Binder permissions
+add_service(storaged, storaged_service)
+
+binder_use(storaged)
+binder_call(storaged, system_server)
+
+# use batteryproperties service
+allow storaged batteryproperties_service:service_manager find;
+binder_call(storaged, healthd)
+
+# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
+# running as root. See b/35323867 #3.
+dontaudit storaged self:capability dac_override;
+
+###
+### neverallow
+###
+neverallow storaged domain:process ptrace;
+neverallow storaged self:capability_class_set *;
diff --git a/private/su.te b/private/su.te
new file mode 100644
index 0000000..d42bf61
--- /dev/null
+++ b/private/su.te
@@ -0,0 +1,20 @@
+userdebug_or_eng(`
+ typeattribute su coredomain;
+
+ domain_auto_trans(shell, su_exec, su)
+ # Allow dumpstate to call su on userdebug / eng builds to collect
+ # additional information.
+ domain_auto_trans(dumpstate, su_exec, su)
+
+ # Make sure that dumpstate runs the same from the "su" domain as
+ # from the "init" domain.
+ domain_auto_trans(su, dumpstate_exec, dumpstate)
+
+ # Put the incident command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, incident_exec, incident)
+
+# su is also permissive to permit setenforce.
+ permissive su;
+
+ app_domain(su)
+')
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
new file mode 100644
index 0000000..3595ee4
--- /dev/null
+++ b/private/surfaceflinger.te
@@ -0,0 +1,110 @@
+# surfaceflinger - display compositor service
+
+typeattribute surfaceflinger coredomain;
+
+type surfaceflinger_exec, exec_type, file_type;
+init_daemon_domain(surfaceflinger)
+
+typeattribute surfaceflinger mlstrustedsubject;
+typeattribute surfaceflinger display_service_server;
+
+read_runtime_log_tags(surfaceflinger)
+
+# Perform HwBinder IPC.
+hal_client_domain(surfaceflinger, hal_graphics_allocator)
+hal_client_domain(surfaceflinger, hal_graphics_composer)
+hal_client_domain(surfaceflinger, hal_configstore)
+allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
+
+# Perform Binder IPC.
+binder_use(surfaceflinger)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
+binder_call(surfaceflinger, bootanim)
+binder_service(surfaceflinger)
+
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
+
+# Access /dev/graphics/fb0.
+allow surfaceflinger graphics_device:dir search;
+allow surfaceflinger graphics_device:chr_file rw_file_perms;
+
+# Access /dev/video1.
+allow surfaceflinger video_device:dir r_dir_perms;
+allow surfaceflinger video_device:chr_file rw_file_perms;
+
+# Create and use netlink kobject uevent sockets.
+allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Set properties.
+set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, ctl_bootanim_prop)
+
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger app_data_file:file { read write };
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+
+# Allow a dumpstate triggered screenshot
+binder_call(surfaceflinger, dumpstate)
+binder_call(surfaceflinger, shell)
+r_dir_file(surfaceflinger, dumpstate)
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+allow surfaceflinger tee_device:chr_file rw_file_perms;
+
+
+# media.player service
+add_service(surfaceflinger, gpu_service)
+
+# do not use add_service() as hal_graphics_composer_default may be the
+# provider as well
+#add_service(surfaceflinger, surfaceflinger_service)
+allow surfaceflinger surfaceflinger_service:service_manager { add find };
+
+allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger permission_service:service_manager find;
+allow surfaceflinger power_service:service_manager find;
+allow surfaceflinger vr_manager_service:service_manager find;
+allow surfaceflinger window_service:service_manager find;
+
+
+# allow self to set SCHED_FIFO
+allow surfaceflinger self:capability sys_nice;
+allow surfaceflinger proc_meminfo:file r_file_perms;
+r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, sysfs_type)
+r_dir_file(surfaceflinger, system_file)
+allow surfaceflinger tmpfs:dir r_dir_perms;
+allow surfaceflinger system_server:fd use;
+allow surfaceflinger ion_device:chr_file r_file_perms;
+
+# pdx IPC
+pdx_server(surfaceflinger, display_client)
+pdx_server(surfaceflinger, display_manager)
+pdx_server(surfaceflinger, display_screenshot)
+pdx_server(surfaceflinger, display_vsync)
+
+pdx_client(surfaceflinger, bufferhub_client)
+pdx_client(surfaceflinger, performance_client)
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+neverallow surfaceflinger sdcard_type:file rw_file_perms;
diff --git a/system_app.te b/private/system_app.te
similarity index 61%
rename from system_app.te
rename to private/system_app.te
index 50320c5..7950044 100644
--- a/system_app.te
+++ b/private/system_app.te
@@ -1,9 +1,12 @@
-#
-# Apps that run with the system UID, e.g. com.android.system.ui,
-# com.android.settings. These are not as privileged as the system
-# server.
-#
-type system_app, domain, domain_deprecated;
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings. These are not as privileged as the system
+### server.
+###
+
+typeattribute system_app coredomain;
+typeattribute system_app domain_deprecated;
+
app_domain(system_app)
net_domain(system_app)
binder_service(system_app)
@@ -26,6 +29,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
set_prop(system_app, logd_prop)
@@ -47,31 +51,42 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+# Allow system apps to interact with incidentd
+binder_call(system_app, incidentd)
+
allow system_app servicemanager:service_manager list;
-allow system_app { service_manager_type -netd_service }:service_manager find;
+# TODO: scope this down? Too broad?
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ user_changed
};
# /sys access
-allow system_app sysfs_zram:dir search;
-allow system_app sysfs_zram:file r_file_perms;
+r_dir_file(system_app, sysfs_type)
control_logd(system_app)
+read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/system_server.te b/private/system_server.te
similarity index 66%
rename from system_server.te
rename to private/system_server.te
index db59b65..6341017 100644
--- a/system_server.te
+++ b/private/system_server.te
@@ -2,21 +2,26 @@
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
-type system_server, domain, domain_deprecated, mlstrustedsubject;
+
+typeattribute system_server coredomain;
+typeattribute system_server domain_deprecated;
+typeattribute system_server mlstrustedsubject;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
-# For art.
-allow system_server dalvikcache_data_file:file execute;
-allow system_server dalvikcache_data_file:dir r_dir_perms;
+# Create a socket for connections from crash_dump.
+type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
-# Enable system server to check the foreign dex usage markers.
-# We need search on top level directories so that we can get to the files
-allow system_server user_profile_data_file:dir search;
-allow system_server user_profile_data_file:file getattr;
-allow system_server user_profile_foreign_dex_data_file:dir { add_name open read write search remove_name };
-allow system_server user_profile_foreign_dex_data_file:file { getattr rename unlink };
+allow system_server zygote_tmpfs:file read;
+
+# For art.
+allow system_server dalvikcache_data_file:dir r_dir_perms;
+allow system_server dalvikcache_data_file:file { r_file_perms execute };
+userdebug_or_eng(`
+ # Report dalvikcache_data_file:file execute violations.
+ auditallow system_server dalvikcache_data_file:file execute;
+')
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -25,13 +30,17 @@
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
+# Read and delete last_reboot_reason file
+allow system_server reboot_data_file:file { rename r_file_perms unlink };
+allow system_server reboot_data_file:dir { write search open remove_name };
+
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
-allow system_server zygote_tmpfs:file read;
# May kill zygote on crashes.
allow system_server zygote:process sigkill;
+allow system_server crash_dump:process sigkill;
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -41,6 +50,9 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
+# in addition to ioctls whitelisted for all domains, also allow system_server
+# to use privileged ioctls commands. Needed to set up VPNs.
+allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# These are the capabilities assigned by the zygote to the
@@ -64,27 +76,35 @@
# Trigger module auto-load.
allow system_server kernel:system module_request;
+# Allow alarmtimers to be set
+allow system_server self:capability2 wake_alarm;
+
# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
+allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Use generic netlink sockets.
-allow system_server self:netlink_socket create_socket_perms;
-allow system_server self:netlink_generic_socket create_socket_perms;
+allow system_server self:netlink_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
# Use generic "sockets" where the address family is not known
-# to the kernel.
-allow system_server self:socket create_socket_perms;
+# to the kernel. The ioctl permission is specifically omitted here, but may
+# be added to device specific policy along with the ioctl commands to be
+# whitelisted.
+allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
-allow system_server { appdomain autoplay_app }:process { sigkill signal };
+allow system_server appdomain:process { sigkill signal };
# Set scheduling info for apps.
-allow system_server { appdomain autoplay_app }:process { getsched setsched };
+allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
+allow system_server hal_audio:process { getsched setsched };
+allow system_server hal_bluetooth:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
+allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
@@ -104,35 +124,36 @@
# Write /proc/uid_cputime/remove_uid_range.
allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+# Write /proc/uid_procstat/set.
+allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
+# Read /proc/stat for CPU usage statistics
+allow system_server proc_stat:file r_file_perms;
+
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
# The DhcpClient and WifiWatchdog use packet_sockets
-allow system_server self:packet_socket create_socket_perms;
+allow system_server self:packet_socket create_socket_perms_no_ioctl;
# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
# as raw sockets, but the kernel doesn't yet distinguish between the two.
allow system_server node:rawip_socket node_bind;
# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create_socket_perms;
-
-# Notify init of death.
-allow system_server init:process sigchld;
+allow system_server self:tun_socket create_socket_perms_no_ioctl;
# Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, installd, installd)
unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, vold, vold)
+unix_socket_connect(system_server, webview_zygote, webview_zygote)
unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, gps, gpsd)
unix_socket_connect(system_server, racoon, racoon)
-unix_socket_send(system_server, wpa, wpa)
unix_socket_connect(system_server, uncrypt, uncrypt)
# Communicate over a socket created by surfaceflinger.
@@ -140,32 +161,85 @@
# Perform Binder IPC.
binder_use(system_server)
+binder_call(system_server, appdomain)
binder_call(system_server, binderservicedomain)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, fingerprintd)
-binder_call(system_server, { appdomain autoplay_app })
binder_call(system_server, dumpstate)
+binder_call(system_server, fingerprintd)
+binder_call(system_server, gatekeeperd)
+binder_call(system_server, installd)
+binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, wificond)
binder_service(system_server)
-# Ask debuggerd to dump backtraces for native stacks of interest.
-#
-# This is derived from the list that system server defines as interesting native processes
-# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
-# frameworks/base/services/core/java/com/android/server/Watchdog.java.
+# Use HALs
+hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_fingerprint)
+hal_client_domain(system_server, hal_gnss)
+hal_client_domain(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_ir)
+hal_client_domain(system_server, hal_light)
+hal_client_domain(system_server, hal_memtrack)
+hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
+hal_client_domain(system_server, hal_power)
+hal_client_domain(system_server, hal_sensors)
+hal_client_domain(system_server, hal_thermal)
+hal_client_domain(system_server, hal_tv_cec)
+hal_client_domain(system_server, hal_tv_input)
+hal_client_domain(system_server, hal_usb)
+hal_client_domain(system_server, hal_vibrator)
+hal_client_domain(system_server, hal_vr)
+hal_client_domain(system_server, hal_weaver)
+hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_offload)
+hal_client_domain(system_server, hal_wifi_supplicant)
+
+binder_call(system_server, mediacodec)
+
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
+# Talk to tombstoned to get ANR traces.
+unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+
+# List HAL interfaces to get ANR traces.
+allow system_server hwservicemanager:hwservice_manager list;
+
+# Send signals to trigger ANR traces.
allow system_server {
+ # This is derived from the list that system server defines as interesting native processes
+ # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
audioserver
- bluetooth
cameraserver
drmserver
inputflinger
- mediacodec
mediadrmserver
mediaextractor
mediaserver
+ mediametrics
sdcardd
surfaceflinger
-}:debuggerd dump_backtrace;
+
+ # This list comes from HAL_INTERFACES_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_graphics_composer_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
+}:process { signal };
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
@@ -177,6 +251,10 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
# Check SELinux permissions.
selinux_check_access(system_server)
@@ -188,6 +266,9 @@
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
+# TODO: Remove when HALs are forced into separate processes
+allow system_server sysfs_vibrator:file { write append };
+
# TODO: added to match above sysfs rule. Remove me?
allow system_server sysfs_usb:file w_file_perms;
@@ -219,13 +300,20 @@
allow system_server system_data_file:notdevfile_class_set create_file_perms;
allow system_server keychain_data_file:dir create_dir_perms;
allow system_server keychain_data_file:file create_file_perms;
+allow system_server keychain_data_file:lnk_file create_file_perms;
# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:file { create_file_perms link };
+allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
+# Access /vendor/app
+r_dir_file(system_server, vendor_app_file)
+
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
@@ -241,6 +329,10 @@
allow system_server anr_data_file:dir create_dir_perms;
allow system_server anr_data_file:file create_file_perms;
+# Read /data/misc/incidents - only read. The fd will be sent over binder,
+# with no DAC access to it, for dropbox to read.
+allow system_server incident_data_file:file read;
+
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -262,6 +354,10 @@
allow system_server systemkeys_data_file:dir create_dir_perms;
allow system_server systemkeys_data_file:file create_file_perms;
+# Manage /data/misc/textclassifier.
+allow system_server textclassifier_data_file:dir create_dir_perms;
+allow system_server textclassifier_data_file:file create_file_perms;
+
# Access /data/tombstones.
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;
@@ -280,7 +376,7 @@
# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file autoplay_data_file }:dir { getattr read search };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
allow system_server unlabeled:dir r_dir_perms;
@@ -293,13 +389,14 @@
# Receive and use open app data files passed over binder IPC.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+
+# Access to /data/media for measuring disk usage.
+allow system_server media_rw_data_file:dir { search getattr open read };
# Receive and use open /data/media files passed over binder IPC.
-allow system_server media_rw_data_file:file { getattr read write };
-
-# Read /file_contexts and /data/security/file_contexts
-security_access_policy(system_server)
+# Also used for measuring disk usage.
+allow system_server media_rw_data_file:file { getattr read write append };
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
@@ -334,11 +431,14 @@
set_prop(system_server, safemode_prop)
set_prop(system_server, dhcp_prop)
set_prop(system_server, net_radio_prop)
+set_prop(system_server, net_dns_prop)
set_prop(system_server, system_radio_prop)
set_prop(system_server, debug_prop)
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
set_prop(system_server, device_logging_prop)
+set_prop(system_server, dumpstate_options_prop)
+set_prop(system_server, overlay_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -348,17 +448,16 @@
# cppreopt property
set_prop(system_server, cppreopt_prop)
-# Create a socket for receiving info from wpa.
-type_transition system_server wifi_data_file:sock_file system_wpa_socket;
-type_transition system_server wpa_socket:sock_file system_wpa_socket;
-allow system_server wpa_socket:dir rw_dir_perms;
-allow system_server system_wpa_socket:sock_file create_file_perms;
+# Collect metrics on boot time created by init
+get_prop(system_server, boottime_prop)
-# Remove sockets created by wpa_supplicant
-allow system_server wpa_socket:sock_file unlink;
+# Read device's serial number from system properties
+get_prop(system_server, serialno_prop)
+
+# Read/write the property which keeps track of whether this is the first start of system_server
+set_prop(system_server, firstboot_prop)
# Create a socket for connections from debuggerd.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server system_ndebug_socket:sock_file create_file_perms;
# Manage cache files.
@@ -366,20 +465,16 @@
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-# Run system programs, e.g. dexopt.
-allow system_server system_file:file x_file_perms;
+allow system_server system_file:dir r_dir_perms;
+allow system_server system_file:lnk_file r_file_perms;
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
-allow system_server gps_device:chr_file rw_file_perms;
allow system_server gps_control:file rw_file_perms;
# Allow system_server to use app-created sockets and pipes.
-allow system_server { appdomain autoplay_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server { appdomain autoplay_app }:{ fifo_file unix_stream_socket } { getattr read write };
-
-# Allow abstract socket connection
-allow system_server rild:unix_stream_socket connectto;
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
# BackupManagerService needs to manipulate backup data files
allow system_server cache_backup_file:dir rw_dir_perms;
@@ -392,9 +487,6 @@
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
-# Allow system to talk to sensors
-allow system_server sensors_device:chr_file rw_file_perms;
-
# Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file r_file_perms;
@@ -409,6 +501,7 @@
# Read from log daemon.
read_logd(system_server)
+read_runtime_log_tags(system_server)
# Be consistent with DAC permissions. Allow system_server to write to
# /sys/module/lowmemorykiller/parameters/adj
@@ -425,22 +518,29 @@
allow system_server sysfs_zram:dir search;
allow system_server sysfs_zram:file r_file_perms;
+add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
+allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
+allow system_server dumpstate_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
+allow system_server incident_service:service_manager find;
+allow system_server installd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
+allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
allow system_server mediacodec_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
+allow system_server mediacasserver_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
-allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
+allow system_server wificond_service:service_manager find;
allow system_server keystore:keystore_key {
get_state
@@ -505,6 +605,8 @@
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
@@ -516,11 +618,6 @@
allow system_server adbd:fd use;
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow system_server media_rw_data_file:dir search;
-
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -536,6 +633,34 @@
# Access to /data/preloads
allow system_server preloads_data_file:file { r_file_perms unlink };
allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow system_server preloads_media_file:file { r_file_perms unlink };
+allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+r_dir_file(system_server, cgroup)
+allow system_server ion_device:chr_file r_file_perms;
+
+r_dir_file(system_server, proc)
+r_dir_file(system_server, proc_meminfo)
+r_dir_file(system_server, proc_net)
+r_dir_file(system_server, rootfs)
+r_dir_file(system_server, sysfs_type)
+
+### Rules needed when Light HAL runs inside system_server process.
+### These rules should eventually be granted only when needed.
+allow system_server sysfs_leds:lnk_file read;
+allow system_server sysfs_leds:file rw_file_perms;
+allow system_server sysfs_leds:dir r_dir_perms;
+###
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow system_server debugfs_tracing_instances:dir search;
+allow system_server debugfs_wifi_tracing:file rw_file_perms;
+
+# allow system_server to exec shell on ASAN builds. Needed to run
+# asanwrapper.
+with_asan(`
+ allow system_server shell_exec:file rx_file_perms;
+')
###
### Neverallow rules
@@ -547,12 +672,31 @@
neverallow system_server sdcard_type:dir { open read write };
neverallow system_server sdcard_type:file rw_file_perms;
-# system server should never be opening zygote spawned app data
+# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
# file descriptor.
# Types extracted from seapp_contexts type= fields, excluding
# those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
+neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+
+# Forking and execing is inherently dangerous and racy. See, for
+# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
+# Prevent the addition of new file execs to stop the problem from
+# getting worse. b/28035297
+neverallow system_server {
+ file_type
+ -toolbox_exec
+ -logcat_exec
+ with_asan(`-shell_exec')
+}:file execute_no_trans;
+
+# Ensure that system_server doesn't perform any domain transitions other than
+# transitioning to the crash_dump domain when a crash occurs.
+neverallow system_server { domain -crash_dump }:process transition;
+neverallow system_server *:process dyntransition;
+
+# Only allow crash_dump to connect to system_ndebug_socket.
+neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
@@ -560,7 +704,8 @@
# want to allow.
neverallow system_server dex2oat_exec:file no_x_file_perms;
-# system_server should never execute anything from /data except for /data/dalvik-cache files.
+# system_server should never execute or load executable shared libraries
+# in /data except for /data/dalvik-cache files.
neverallow system_server {
data_file_type
-dalvikcache_data_file #mapping with PROT_EXEC
@@ -574,4 +719,18 @@
# system_server should never use JIT functionality
neverallow system_server self:process execmem;
neverallow system_server ashmem_device:chr_file execute;
+
+# TODO: deal with tmpfs_domain pub/priv split properly
neverallow system_server system_server_tmpfs:file execute;
+
+# dexoptanalyzer is currently used only for secondary dex files which
+# system_server should never access.
+neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+# This neverallow can be removed after b/34951864 is fixed.
+neverallow system_server system_server:capability sys_resource;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
new file mode 100644
index 0000000..ccbae10
--- /dev/null
+++ b/private/technical_debt.cil
@@ -0,0 +1,28 @@
+; THIS IS A WORKAROUND for the current limitations of the module policy language
+; This should be used sparingly until we figure out a saner way to achieve the
+; stuff below, for example, by improving typeattribute statement of module
+; language.
+;
+; NOTE: This file has no effect on recovery policy.
+
+; Apps, except isolated apps, are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_allocator_client;
+; typeattribute hal_allocator_client halclientdomain;
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset halclientdomain (hal_allocator_client))
+
+; Apps, except isolated apps, are clients of Configstore HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))
diff --git a/private/tombstoned.te b/private/tombstoned.te
new file mode 100644
index 0000000..305f9d0
--- /dev/null
+++ b/private/tombstoned.te
@@ -0,0 +1,3 @@
+typeattribute tombstoned coredomain;
+
+init_daemon_domain(tombstoned)
diff --git a/private/toolbox.te b/private/toolbox.te
new file mode 100644
index 0000000..a2b958d
--- /dev/null
+++ b/private/toolbox.te
@@ -0,0 +1,3 @@
+typeattribute toolbox coredomain;
+
+init_daemon_domain(toolbox)
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
new file mode 100644
index 0000000..502735c
--- /dev/null
+++ b/private/tzdatacheck.te
@@ -0,0 +1,3 @@
+typeattribute tzdatacheck coredomain;
+
+init_daemon_domain(tzdatacheck)
diff --git a/private/ueventd.te b/private/ueventd.te
new file mode 100644
index 0000000..0df587f
--- /dev/null
+++ b/private/ueventd.te
@@ -0,0 +1,4 @@
+typeattribute ueventd coredomain;
+typeattribute ueventd domain_deprecated;
+
+tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
new file mode 100644
index 0000000..fde686b
--- /dev/null
+++ b/private/uncrypt.te
@@ -0,0 +1,4 @@
+typeattribute uncrypt coredomain;
+typeattribute uncrypt domain_deprecated;
+
+init_daemon_domain(uncrypt)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
new file mode 100644
index 0000000..68c1a41
--- /dev/null
+++ b/private/untrusted_app.te
@@ -0,0 +1,29 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app coredomain;
+
+app_domain(untrusted_app)
+untrusted_app_domain(untrusted_app)
+net_domain(untrusted_app)
+bluetooth_domain(untrusted_app)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
new file mode 100644
index 0000000..3fa79ef
--- /dev/null
+++ b/private/untrusted_app_25.te
@@ -0,0 +1,46 @@
+###
+### Untrusted_app_25
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion <= 25.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app_25 coredomain;
+
+app_domain(untrusted_app_25)
+untrusted_app_domain(untrusted_app_25)
+net_domain(untrusted_app_25)
+bluetooth_domain(untrusted_app_25)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_25)
+
+# b/34115651 - net.dns* properties read
+# This will go away in a future Android release
+get_prop(untrusted_app_25, net_dns_prop)
+
+# b/35917228 - /proc/misc access
+# This will go away in a future Android release
+allow untrusted_app_25 proc_misc:file r_file_perms;
+
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
new file mode 100644
index 0000000..fc80129
--- /dev/null
+++ b/private/untrusted_app_all.te
@@ -0,0 +1,106 @@
+###
+### Untrusted_app_all.
+###
+### This file defines the rules shared by all untrusted app domains except
+### apps which target the v2 security sandbox (ephemeral_app for instant apps,
+### untrusted_v2_app for fully installed v2 apps).
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app_all attribute is assigned to all default
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### attribute is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+### Note that rules that should apply to all untrusted apps must be in app.te or also
+### added to untrusted_v2_app.te and ephemeral_app.te.
+
+# Legacy text relocations
+allow untrusted_app_all apk_data_file:file execmod;
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
+
+# ASEC
+allow untrusted_app_all asec_apk_file:file r_file_perms;
+allow untrusted_app_all asec_apk_file:dir r_dir_perms;
+# Execute libs in asec containers.
+allow untrusted_app_all asec_public_file:file { execute execmod };
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+# TODO: Long term, we don't want apps probing into shell data files.
+# Figure out a way to remove these rules.
+allow untrusted_app_all shell_data_file:file r_file_perms;
+allow untrusted_app_all shell_data_file:dir r_dir_perms;
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_app_all system_app_data_file:file { read write getattr };
+
+#
+# Rules migrated from old app domains coalesced into untrusted_app.
+# This includes what used to be media_app, shared_app, and release_app.
+#
+
+# Access to /data/media.
+allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
+allow untrusted_app_all media_rw_data_file:file create_file_perms;
+
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app_all mnt_media_rw_file:dir search;
+
+# allow cts to query all services
+allow untrusted_app_all servicemanager:service_manager list;
+
+allow untrusted_app_all audioserver_service:service_manager find;
+allow untrusted_app_all cameraserver_service:service_manager find;
+allow untrusted_app_all drmserver_service:service_manager find;
+allow untrusted_app_all mediaserver_service:service_manager find;
+allow untrusted_app_all mediaextractor_service:service_manager find;
+allow untrusted_app_all mediacodec_service:service_manager find;
+allow untrusted_app_all mediametrics_service:service_manager find;
+allow untrusted_app_all mediadrmserver_service:service_manager find;
+allow untrusted_app_all mediacasserver_service:service_manager find;
+allow untrusted_app_all nfc_service:service_manager find;
+allow untrusted_app_all radio_service:service_manager find;
+allow untrusted_app_all surfaceflinger_service:service_manager find;
+allow untrusted_app_all app_api_service:service_manager find;
+allow untrusted_app_all vr_manager_service:service_manager find;
+
+# Allow GMS core to access perfprofd output, which is stored
+# in /data/misc/perfprofd/. GMS core will need to list all
+# data stored in that directory to process them one by one.
+userdebug_or_eng(`
+ allow untrusted_app_all perfprofd_data_file:file r_file_perms;
+ allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
+')
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_app_all self:process ptrace;
+
+# Cts: HwRngTest
+allow untrusted_app_all sysfs_hwrandom:dir search;
+allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
+
+# Allow apps to view preloaded media content
+allow untrusted_app_all preloads_media_file:dir r_dir_perms;
+allow untrusted_app_all preloads_media_file:file r_file_perms;
+allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
new file mode 100644
index 0000000..ef62841
--- /dev/null
+++ b/private/untrusted_v2_app.te
@@ -0,0 +1,43 @@
+###
+### Untrusted v2 sandbox apps.
+###
+
+typeattribute untrusted_v2_app coredomain;
+
+app_domain(untrusted_v2_app)
+net_domain(untrusted_v2_app)
+bluetooth_domain(untrusted_v2_app)
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_v2_app system_app_data_file:file { read write getattr };
+
+# Access to /data/media.
+allow untrusted_v2_app media_rw_data_file:dir create_dir_perms;
+allow untrusted_v2_app media_rw_data_file:file create_file_perms;
+
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_v2_app mnt_media_rw_file:dir search;
+
+# allow cts to query all services
+allow untrusted_v2_app servicemanager:service_manager list;
+
+allow untrusted_v2_app audioserver_service:service_manager find;
+allow untrusted_v2_app cameraserver_service:service_manager find;
+allow untrusted_v2_app drmserver_service:service_manager find;
+allow untrusted_v2_app mediaserver_service:service_manager find;
+allow untrusted_v2_app mediaextractor_service:service_manager find;
+allow untrusted_v2_app mediacodec_service:service_manager find;
+allow untrusted_v2_app mediametrics_service:service_manager find;
+allow untrusted_v2_app mediadrmserver_service:service_manager find;
+allow untrusted_v2_app mediacasserver_service:service_manager find;
+allow untrusted_v2_app nfc_service:service_manager find;
+allow untrusted_v2_app radio_service:service_manager find;
+allow untrusted_v2_app surfaceflinger_service:service_manager find;
+# TODO: potentially provide a tighter list of services here
+allow untrusted_v2_app app_api_service:service_manager find;
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_v2_app self:process ptrace;
diff --git a/private/update_engine.te b/private/update_engine.te
new file mode 100644
index 0000000..f460272
--- /dev/null
+++ b/private/update_engine.te
@@ -0,0 +1,4 @@
+typeattribute update_engine coredomain;
+typeattribute update_engine domain_deprecated;
+
+init_daemon_domain(update_engine);
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
new file mode 100644
index 0000000..a7fb584
--- /dev/null
+++ b/private/update_engine_common.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# The postinstall program is run by update_engine_common and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine_common, postinstall_file, postinstall)
diff --git a/private/update_verifier.te b/private/update_verifier.te
new file mode 100644
index 0000000..1b934d9
--- /dev/null
+++ b/private/update_verifier.te
@@ -0,0 +1,3 @@
+typeattribute update_verifier coredomain;
+
+init_daemon_domain(update_verifier)
diff --git a/users b/private/users
similarity index 100%
rename from users
rename to private/users
diff --git a/private/vdc.te b/private/vdc.te
new file mode 100644
index 0000000..bc7409e
--- /dev/null
+++ b/private/vdc.te
@@ -0,0 +1,3 @@
+typeattribute vdc coredomain;
+
+init_daemon_domain(vdc)
diff --git a/private/virtual_touchpad.te b/private/virtual_touchpad.te
new file mode 100644
index 0000000..e735172
--- /dev/null
+++ b/private/virtual_touchpad.te
@@ -0,0 +1,3 @@
+typeattribute virtual_touchpad coredomain;
+
+init_daemon_domain(virtual_touchpad)
diff --git a/private/vold.te b/private/vold.te
new file mode 100644
index 0000000..f2416f8
--- /dev/null
+++ b/private/vold.te
@@ -0,0 +1,20 @@
+typeattribute vold coredomain;
+typeattribute vold domain_deprecated;
+
+init_daemon_domain(vold)
+
+# Switch to more restrictive domains when executing common tools
+domain_auto_trans(vold, sgdisk_exec, sgdisk);
+domain_auto_trans(vold, sdcardd_exec, sdcardd);
+
+# For a handful of probing tools, we choose an even more restrictive
+# domain when working with untrusted block devices
+domain_trans(vold, shell_exec, blkid);
+domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, fsck_exec, fsck);
+domain_trans(vold, fsck_exec, fsck_untrusted);
+
+# Newly created storage dirs are always treated as mount stubs to prevent us
+# from accidentally writing when the mount point isn't present.
+type_transition vold storage_file:dir storage_stub_file;
+type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
new file mode 100644
index 0000000..053c03d
--- /dev/null
+++ b/private/vr_hwc.te
@@ -0,0 +1,6 @@
+typeattribute vr_hwc coredomain;
+
+# Daemon started by init.
+init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/private/watchdogd.te b/private/watchdogd.te
new file mode 100644
index 0000000..36dd30f
--- /dev/null
+++ b/private/watchdogd.te
@@ -0,0 +1 @@
+typeattribute watchdogd coredomain;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
new file mode 100644
index 0000000..501581a
--- /dev/null
+++ b/private/webview_zygote.te
@@ -0,0 +1,116 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+typeattribute webview_zygote coredomain;
+
+# The webview_zygote needs to be able to transition domains.
+typeattribute webview_zygote mlstrustedsubject;
+
+# When init launches the WebView zygote's executable, transition the
+# resulting process into webview_zygote domain.
+init_daemon_domain(webview_zygote)
+
+# Allow reading/executing installed binaries to enable preloading the
+# installed WebView implementation.
+allow webview_zygote apk_data_file:dir r_dir_perms;
+allow webview_zygote apk_data_file:file { r_file_perms execute };
+
+# Access to the WebView relro file.
+allow webview_zygote shared_relro_file:dir search;
+allow webview_zygote shared_relro_file:file r_file_perms;
+
+# Set the UID/GID of the process.
+allow webview_zygote self:capability { setgid setuid };
+# Drop capabilities from bounding set.
+allow webview_zygote self:capability setpcap;
+# Switch SELinux context to app domains.
+allow webview_zygote self:process setcurrent;
+allow webview_zygote isolated_app:process dyntransition;
+
+# For art.
+allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
+allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+
+# Allow webview_zygote to stat the files that it opens. It must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow webview_zygote debugfs_trace_marker:file getattr;
+
+# Allow webview_zygote to manage the pgroup of its children.
+allow webview_zygote system_server:process getpgid;
+
+# Interaction between the webview_zygote and its children.
+allow webview_zygote isolated_app:process setpgid;
+
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(webview_zygote)
+# Check SELinux permissions.
+selinux_check_access(webview_zygote)
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow webview_zygote { domain -isolated_app }:process dyntransition;
+
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow webview_zygote { domain -crash_dump }:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow webview_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for init to exec() us.
+neverallow { domain -init } webview_zygote:process transition;
+neverallow * webview_zygote:process dyntransition;
+
+# Disallow write access to properties.
+neverallow webview_zygote property_socket:sock_file write;
+neverallow webview_zygote property_type:property_service set;
+
+# Should not have any access to app data files.
+neverallow webview_zygote {
+ app_data_file
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+}:file { rwx_file_perms };
+
+neverallow webview_zygote {
+ service_manager_type
+ -activity_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow webview_zygote access to /cache.
+neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
+neverallow webview_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow webview_zygote domain:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+ appletalk_socket netlink_route_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+ sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
+ x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
+ pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
+ rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket
+} *;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow webview_zygote bluetooth_prop:file create_file_perms;
diff --git a/private/wificond.te b/private/wificond.te
new file mode 100644
index 0000000..cc76447
--- /dev/null
+++ b/private/wificond.te
@@ -0,0 +1,4 @@
+typeattribute wificond coredomain;
+
+init_daemon_domain(wificond)
+hal_client_domain(wificond, hal_wifi_offload)
diff --git a/zygote.te b/private/zygote.te
similarity index 67%
rename from zygote.te
rename to private/zygote.te
index c6b343c..daabbc0 100644
--- a/zygote.te
+++ b/private/zygote.te
@@ -1,68 +1,88 @@
# zygote
-type zygote, domain, domain_deprecated;
-type zygote_exec, exec_type, file_type;
+typeattribute zygote coredomain;
+typeattribute zygote domain_deprecated;
+typeattribute zygote mlstrustedsubject;
init_daemon_domain(zygote)
-typeattribute zygote mlstrustedsubject;
+
+read_runtime_log_tags(zygote)
+
# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid fowner chown };
+
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
+
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
-allow zygote { appdomain autoplay_app }:process dyntransition;
-# Allow zygote to read app /proc/pid dirs (b/10455872)
-allow zygote { appdomain autoplay_app }:dir { getattr search };
-allow zygote { appdomain autoplay_app }:file { r_file_perms };
+allow zygote appdomain:process dyntransition;
+
+# Allow zygote to read app /proc/pid dirs (b/10455872).
+allow zygote appdomain:dir { getattr search };
+allow zygote appdomain:file { r_file_perms };
+
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
-allow zygote { appdomain autoplay_app }:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
+
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
+
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
-# Create symlinks in /data/dalvik-cache
+
+# Create symlinks in /data/dalvik-cache.
allow zygote dalvikcache_data_file:lnk_file create_file_perms;
-# Write to /data/resource-cache
+
+# Write to /data/resource-cache.
allow zygote resourcecache_data_file:dir rw_dir_perms;
allow zygote resourcecache_data_file:file create_file_perms;
-# For art.
-allow zygote dalvikcache_data_file:file execute;
+
+# When WITH_DEXPREOPT is true, the zygote does not load executable content from
+# /data/dalvik-cache.
+allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
+
# Execute idmap and dex2oat within zygote's own domain.
# TODO: Should either of these be transitioned to the same domain
# used by installd or stay in-domain for zygote?
allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)
+
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
+allow zygote cgroup:{ file lnk_file } r_file_perms;
allow zygote self:capability sys_admin;
+
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384
-allow zygote pmsg_device:chr_file { getattr };
-allow zygote debugfs_trace_marker:file { getattr };
+# if necessary: b/30963384.
+allow zygote pmsg_device:chr_file getattr;
+allow zygote debugfs_trace_marker:file getattr;
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.
selinux_check_access(zygote)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(zygote)
# Native bridge functionality requires that zygote replaces
# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
allow zygote proc_cpuinfo:file mounton;
-# Allow remounting rootfs as MS_SLAVE
+# Allow remounting rootfs as MS_SLAVE.
allow zygote rootfs:dir mounton;
allow zygote tmpfs:filesystem { mount unmount };
allow zygote fuse:filesystem { unmount };
allow zygote sdcardfs:filesystem { unmount };
-# Allowed to create user-specific storage source if started before vold
+# Allow creating user-specific storage source if started before vold.
allow zygote mnt_user_file:dir create_dir_perms;
allow zygote mnt_user_file:lnk_file create_file_perms;
# Allowed to mount user-specific storage into place
@@ -75,11 +95,10 @@
r_dir_file(zygote, proc_net)
# Root fs.
-allow zygote rootfs:file r_file_perms;
+r_dir_file(zygote, rootfs)
# System file accesses.
-allow zygote system_file:dir r_dir_perms;
-allow zygote system_file:file r_file_perms;
+r_dir_file(zygote, system_file)
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
@@ -87,6 +106,12 @@
allow zygote method_trace_data_file:file { create w_file_perms };
')
+allow zygote ion_device:chr_file r_file_perms;
+allow zygote tmpfs:dir r_dir_perms;
+
+# Let the zygote access overlays so it can initialize the AssetManager.
+get_prop(zygote, overlay_prop)
+
###
### neverallow rules
###
@@ -97,10 +122,13 @@
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server.
-neverallow zygote ~{ appdomain autoplay_app system_server }:process dyntransition;
+neverallow zygote ~{ appdomain system_server }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
data_file_type
-dalvikcache_data_file # map PROT_EXEC
}:file no_x_file_perms;
+
+# Do not allow access to Bluetooth-related system properties and files
+neverallow zygote bluetooth_prop:file create_file_perms;
diff --git a/public/adbd.te b/public/adbd.te
new file mode 100644
index 0000000..7ecd045
--- /dev/null
+++ b/public/adbd.te
@@ -0,0 +1,3 @@
+# adbd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type adbd, domain;
diff --git a/public/asan_extract.te b/public/asan_extract.te
new file mode 100644
index 0000000..6d0de6c
--- /dev/null
+++ b/public/asan_extract.te
@@ -0,0 +1,36 @@
+# asan_extract
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+with_asan(`
+ type asan_extract, domain, coredomain;
+ type asan_extract_exec, exec_type, file_type;
+
+ # Allow asan_extract to execute itself using #!/system/bin/sh
+ allow asan_extract shell_exec:file rx_file_perms;
+
+ # We execute log, rm, gzip and tar.
+ allow asan_extract toolbox_exec:file rx_file_perms;
+ allow asan_extract system_file:file execute_no_trans;
+
+ # asan_extract deletes old /data/lib.
+ allow asan_extract system_file:dir { open read remove_name rmdir write };
+ allow asan_extract system_file:file unlink;
+
+ # asan_extract untars ASAN libraries into /data.
+ allow asan_extract system_data_file:dir create_dir_perms ;
+ allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+ # Relabel the libraries with restorecon.
+ allow asan_extract file_contexts_file:file r_file_perms;
+ allow asan_extract system_data_file:{ dir file } relabelfrom;
+ allow asan_extract system_file:dir { relabelto setattr };
+ allow asan_extract system_file:file relabelto;
+
+ # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+ allow asan_extract system_data_file:file execute;
+
+ # We use asan.restore_reboot to signal a reboot is required.
+ set_prop(asan_extract, asan_reboot_prop)
+')
diff --git a/public/attributes b/public/attributes
new file mode 100644
index 0000000..b13f75c
--- /dev/null
+++ b/public/attributes
@@ -0,0 +1,279 @@
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# in tools/checkfc.c
+attribute dev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute fs_type;
+
+# All types used for context= mounts.
+attribute contextmount_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+# All types in /vendor
+attribute vendor_file_type;
+
+# All types use for sysfs files.
+attribute sysfs_type;
+
+# All types use for debugfs files.
+attribute debugfs_type;
+
+# Attribute used for all sdcards
+attribute sdcard_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All types used for property service
+# On change, update CHECK_PC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute property_type;
+
+# All properties defined in core SELinux policy. Should not be
+# used by device specific properties
+attribute core_property_type;
+
+# All properties used to configure log filtering.
+attribute log_property_type;
+
+# All service_manager types created by system_server
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which should be available to all ephemeral apps
+attribute ephemeral_app_api_service;
+
+# services which export only system_api
+attribute system_api_service;
+
+# All types used for services managed by servicemanager.
+# On change, update CHECK_SC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute service_manager_type;
+
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All third party apps.
+attribute untrusted_app_all;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
+
+# update_engine related domains that need to apply an update and run
+# postinstall. This includes the background daemon and the sideload tool from
+# recovery for A/B devices.
+attribute update_engine_common;
+
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+
+# All vendor domains which violate the requirement of not using Binder
+# TODO(b/35870313): Remove this once there are no violations
+attribute binder_in_vendor_violators;
+
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+
+# PDX services
+attribute pdx_endpoint_dir_type;
+attribute pdx_endpoint_socket_type;
+attribute pdx_channel_socket_type;
+
+pdx_service_attributes(display_client)
+pdx_service_attributes(display_manager)
+pdx_service_attributes(display_screenshot)
+pdx_service_attributes(display_vsync)
+pdx_service_attributes(performance_client)
+pdx_service_attributes(bufferhub_client)
+
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
+
+# HALs
+attribute hal_allocator;
+attribute hal_allocator_client;
+attribute hal_allocator_server;
+attribute hal_audio;
+attribute hal_audio_client;
+attribute hal_audio_server;
+attribute hal_bluetooth;
+attribute hal_bluetooth_client;
+attribute hal_bluetooth_server;
+attribute hal_bootctl;
+attribute hal_bootctl_client;
+attribute hal_bootctl_server;
+attribute hal_camera;
+attribute hal_camera_client;
+attribute hal_camera_server;
+attribute hal_configstore;
+attribute hal_configstore_client;
+attribute hal_configstore_server;
+attribute hal_contexthub;
+attribute hal_contexthub_client;
+attribute hal_contexthub_server;
+attribute hal_drm;
+attribute hal_drm_client;
+attribute hal_drm_server;
+attribute hal_dumpstate;
+attribute hal_dumpstate_client;
+attribute hal_dumpstate_server;
+attribute hal_fingerprint;
+attribute hal_fingerprint_client;
+attribute hal_fingerprint_server;
+attribute hal_gatekeeper;
+attribute hal_gatekeeper_client;
+attribute hal_gatekeeper_server;
+attribute hal_gnss;
+attribute hal_gnss_client;
+attribute hal_gnss_server;
+attribute hal_graphics_allocator;
+attribute hal_graphics_allocator_client;
+attribute hal_graphics_allocator_server;
+attribute hal_graphics_composer;
+attribute hal_graphics_composer_client;
+attribute hal_graphics_composer_server;
+attribute hal_health;
+attribute hal_health_client;
+attribute hal_health_server;
+attribute hal_ir;
+attribute hal_ir_client;
+attribute hal_ir_server;
+attribute hal_keymaster;
+attribute hal_keymaster_client;
+attribute hal_keymaster_server;
+attribute hal_light;
+attribute hal_light_client;
+attribute hal_light_server;
+attribute hal_memtrack;
+attribute hal_memtrack_client;
+attribute hal_memtrack_server;
+attribute hal_nfc;
+attribute hal_nfc_client;
+attribute hal_nfc_server;
+attribute hal_oemlock;
+attribute hal_oemlock_client;
+attribute hal_oemlock_server;
+attribute hal_power;
+attribute hal_power_client;
+attribute hal_power_server;
+attribute hal_sensors;
+attribute hal_sensors_client;
+attribute hal_sensors_server;
+attribute hal_telephony;
+attribute hal_telephony_client;
+attribute hal_telephony_server;
+attribute hal_thermal;
+attribute hal_thermal_client;
+attribute hal_thermal_server;
+attribute hal_tv_cec;
+attribute hal_tv_cec_client;
+attribute hal_tv_cec_server;
+attribute hal_tv_input;
+attribute hal_tv_input_client;
+attribute hal_tv_input_server;
+attribute hal_usb;
+attribute hal_usb_client;
+attribute hal_usb_server;
+attribute hal_vibrator;
+attribute hal_vibrator_client;
+attribute hal_vibrator_server;
+attribute hal_vr;
+attribute hal_vr_client;
+attribute hal_vr_server;
+attribute hal_weaver;
+attribute hal_weaver_client;
+attribute hal_weaver_server;
+attribute hal_wifi;
+attribute hal_wifi_client;
+attribute hal_wifi_server;
+attribute hal_wifi_keystore;
+attribute hal_wifi_keystore_client;
+attribute hal_wifi_keystore_server;
+attribute hal_wifi_offload;
+attribute hal_wifi_offload_client;
+attribute hal_wifi_offload_server;
+attribute hal_wifi_supplicant;
+attribute hal_wifi_supplicant_client;
+attribute hal_wifi_supplicant_server;
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute display_service_server;
+attribute wifi_keystore_service_server;
diff --git a/public/audioserver.te b/public/audioserver.te
new file mode 100644
index 0000000..9a72858
--- /dev/null
+++ b/public/audioserver.te
@@ -0,0 +1,2 @@
+# audioserver - audio services daemon
+type audioserver, domain;
diff --git a/public/blkid.te b/public/blkid.te
new file mode 100644
index 0000000..dabe014
--- /dev/null
+++ b/public/blkid.te
@@ -0,0 +1,2 @@
+# blkid called from vold
+type blkid, domain;
diff --git a/public/blkid_untrusted.te b/public/blkid_untrusted.te
new file mode 100644
index 0000000..4be4c0c
--- /dev/null
+++ b/public/blkid_untrusted.te
@@ -0,0 +1,2 @@
+# blkid for untrusted block devices
+type blkid_untrusted, domain;
diff --git a/public/bluetooth.te b/public/bluetooth.te
new file mode 100644
index 0000000..9b3442a
--- /dev/null
+++ b/public/bluetooth.te
@@ -0,0 +1,2 @@
+# bluetooth subsystem
+type bluetooth, domain;
diff --git a/bootanim.te b/public/bootanim.te
similarity index 79%
rename from bootanim.te
rename to public/bootanim.te
index c3091ab..e2584c3 100644
--- a/bootanim.te
+++ b/public/bootanim.te
@@ -2,12 +2,15 @@
type bootanim, domain;
type bootanim_exec, exec_type, file_type;
-init_daemon_domain(bootanim)
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
binder_use(bootanim)
binder_call(bootanim, surfaceflinger)
binder_call(bootanim, audioserver)
+hwbinder_use(bootanim)
+
allow bootanim gpu_device:chr_file rw_file_perms;
# /oem access
@@ -19,10 +22,13 @@
allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
-allow bootanim audioserver_service:service_manager find;
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
+allow bootanim hal_graphics_allocator:fd use;
+
+# Fences
+allow bootanim hal_graphics_composer:fd use;
# Read access to pseudo filesystems.
r_dir_file(bootanim, proc)
diff --git a/bootstat.te b/public/bootstat.te
similarity index 73%
rename from bootstat.te
rename to public/bootstat.te
index 44a8c91..f5c7268 100644
--- a/bootstat.te
+++ b/public/bootstat.te
@@ -2,11 +2,14 @@
type bootstat, domain;
type bootstat_exec, exec_type, file_type;
-init_daemon_domain(bootstat)
+read_runtime_log_tags(bootstat)
# Allow persistent storage in /data/misc/bootstat.
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
# Read access to pseudo filesystems (for /proc/uptime).
-r_dir_file(bootstat, proc)
\ No newline at end of file
+r_dir_file(bootstat, proc)
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
new file mode 100644
index 0000000..274c271
--- /dev/null
+++ b/public/bufferhubd.te
@@ -0,0 +1,20 @@
+# bufferhubd
+type bufferhubd, domain, mlstrustedsubject;
+type bufferhubd_exec, exec_type, file_type;
+
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
+pdx_server(bufferhubd, bufferhub_client)
+pdx_client(bufferhubd, performance_client)
+
+# Access the GPU.
+allow bufferhubd gpu_device:chr_file rw_file_perms;
+
+# Access /dev/ion
+allow bufferhubd ion_device:chr_file r_file_perms;
+
+# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
+# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
+# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
+# Thus, there is no need to use pdx_client macro.
+allow bufferhubd mediacodec:fd use;
diff --git a/public/cameraserver.te b/public/cameraserver.te
new file mode 100644
index 0000000..0dd4a80
--- /dev/null
+++ b/public/cameraserver.te
@@ -0,0 +1,49 @@
+# cameraserver - camera daemon
+type cameraserver, domain;
+type cameraserver_exec, exec_type, file_type;
+
+binder_use(cameraserver)
+binder_call(cameraserver, binderservicedomain)
+binder_call(cameraserver, appdomain)
+binder_service(cameraserver)
+
+hal_client_domain(cameraserver, hal_camera)
+
+hal_client_domain(cameraserver, hal_graphics_allocator)
+
+allow cameraserver ion_device:chr_file rw_file_perms;
+
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
+add_service(cameraserver, cameraserver_service)
+allow cameraserver appops_service:service_manager find;
+allow cameraserver audioserver_service:service_manager find;
+allow cameraserver batterystats_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver processinfo_service:service_manager find;
+allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver surfaceflinger_service:service_manager find;
+
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
+###
+### neverallow rules
+###
+
+# cameraserver should never execute any executable without a
+# domain transition
+neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/charger.te b/public/charger.te
new file mode 100644
index 0000000..4b20d1d
--- /dev/null
+++ b/public/charger.te
@@ -0,0 +1,41 @@
+# charger seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type charger, domain;
+
+# Write to /dev/kmsg
+allow charger kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger, sysfs_type)
+r_dir_file(charger, rootfs)
+r_dir_file(charger, cgroup)
+
+allow charger self:capability { sys_tty_config };
+allow charger self:capability sys_boot;
+
+wakelock_use(charger)
+
+allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Write to /sys/power/state
+# TODO: Split into a separate type?
+allow charger sysfs:file write;
+
+allow charger sysfs_batteryinfo:file r_file_perms;
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger pstorefs:dir r_dir_perms;
+allow charger pstorefs:file r_file_perms;
+
+allow charger graphics_device:dir r_dir_perms;
+allow charger graphics_device:chr_file rw_file_perms;
+allow charger input_device:dir r_dir_perms;
+allow charger input_device:chr_file r_file_perms;
+allow charger tty_device:chr_file rw_file_perms;
+allow charger proc_sysrq:file rw_file_perms;
+
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger, system_prop)
diff --git a/clatd.te b/public/clatd.te
similarity index 94%
rename from clatd.te
rename to public/clatd.te
index 3cda6a2..212b76e 100644
--- a/clatd.te
+++ b/public/clatd.te
@@ -1,9 +1,11 @@
# 464xlat daemon
-type clatd, domain, domain_deprecated;
+type clatd, domain;
type clatd_exec, exec_type, file_type;
net_domain(clatd)
+r_dir_file(clatd, proc_net)
+
# Access objects inherited from netd.
allow clatd netd:fd use;
allow clatd netd:fifo_file { read write };
@@ -27,5 +29,5 @@
allow clatd self:capability ipc_lock;
allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
+allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/cppreopts.te b/public/cppreopts.te
similarity index 80%
rename from cppreopts.te
rename to public/cppreopts.te
index 66df7ee..8cbf801 100644
--- a/cppreopts.te
+++ b/public/cppreopts.te
@@ -7,12 +7,6 @@
type cppreopts, domain, mlstrustedsubject;
type cppreopts_exec, exec_type, file_type;
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(cppreopts)
-
-domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
-
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
diff --git a/public/crash_dump.te b/public/crash_dump.te
new file mode 100644
index 0000000..ee617a1
--- /dev/null
+++ b/public/crash_dump.te
@@ -0,0 +1,60 @@
+type crash_dump, domain;
+type crash_dump_exec, exec_type, file_type;
+
+allow crash_dump {
+ domain
+ -init
+ -crash_dump
+ -keystore
+ -logd
+}:process { ptrace signal sigchld sigstop sigkill };
+
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:capability { sys_ptrace };
+
+userdebug_or_eng(`
+ allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
+')
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Write to the IPC pipe inherited from crashing processes.
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { write append };
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow crash_dump dalvikcache_data_file:dir { search getattr };
+allow crash_dump dalvikcache_data_file:file r_file_perms;
+
+# Read APK files.
+r_dir_file(crash_dump, apk_data_file);
+
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Talk to ActivityManager.
+unix_socket_connect(crash_dump, system_ndebug, system_server)
+
+# Append to ANR files.
+allow crash_dump anr_data_file:file { append getattr };
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+read_logd(crash_dump)
+
+###
+### neverallow assertions
+###
+
+# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
+# Do not allow the execution of crash_dump without a domain transition.
+neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/device.te b/public/device.te
similarity index 91%
rename from device.te
rename to public/device.te
index 06006b2..4a3bec9 100644
--- a/device.te
+++ b/public/device.te
@@ -1,13 +1,18 @@
# Device types
type device, dev_type, fs_type;
type alarm_device, dev_type, mlstrustedobject;
-type adb_device, dev_type;
type ashmem_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
+type audio_timer_device, dev_type;
+type audio_seq_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
+type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
type block_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
+type keychord_device, dev_type;
+type loop_control_device, dev_type;
type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
@@ -24,6 +29,7 @@
type hw_random_device, dev_type;
type input_device, dev_type;
type kmem_device, dev_type;
+type port_device, dev_type;
type log_device, dev_type, mlstrustedobject;
type mtd_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
@@ -37,14 +43,12 @@
type socket_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type tty_device, dev_type;
-type urandom_device, dev_type, mlstrustedobject;
type video_device, dev_type;
type vcs_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
-type gps_device, dev_type;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type;
@@ -52,7 +56,6 @@
type tun_device, dev_type, mlstrustedobject;
type usbaccessory_device, dev_type, mlstrustedobject;
type usb_device, dev_type, mlstrustedobject;
-type klog_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type i2c_device, dev_type;
@@ -98,6 +101,3 @@
# The 'misc' partition used by recovery and A/B.
type misc_block_device, dev_type;
-
-# Bootctrl block device used by A/B update (update_engine, update_verifier).
-type bootctrl_block_device, dev_type;
diff --git a/dex2oat.te b/public/dex2oat.te
similarity index 67%
rename from dex2oat.te
rename to public/dex2oat.te
index fdf5536..47f3bcb 100644
--- a/dex2oat.te
+++ b/public/dex2oat.te
@@ -1,22 +1,40 @@
# dex2oat
-type dex2oat, domain, domain_deprecated;
+type dex2oat, domain;
type dex2oat_exec, exec_type, file_type;
+r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };
+
+allow dex2oat tmpfs:file { read getattr };
+
+r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
# the oat file is symlinked to the original file in /system.
allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
-allow dex2oat apk_tmp_file:file read;
+allow dex2oat apk_tmp_file:dir search;
+allow dex2oat apk_tmp_file:file r_file_perms;
allow dex2oat user_profile_data_file:file { getattr read lock };
+# Allow dex2oat to compile app's secondary dex files which were reported back to
+# the framework.
+allow dex2oat app_data_file:file { getattr read write lock };
+
##################
# A/B OTA Dexopt #
##################
@@ -25,6 +43,8 @@
allow dex2oat postinstall_dexopt:fd use;
allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:filesystem getattr;
+allow dex2oat postinstall_file:lnk_file read;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/dhcp.te b/public/dhcp.te
similarity index 80%
rename from dhcp.te
rename to public/dhcp.te
index a858e08..2b54b7f 100644
--- a/dhcp.te
+++ b/public/dhcp.te
@@ -1,16 +1,15 @@
-type dhcp, domain, domain_deprecated;
+type dhcp, domain;
type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;
-init_daemon_domain(dhcp)
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms;
+allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
allow dhcp toolbox_exec:file rx_file_perms;
@@ -21,7 +20,6 @@
set_prop(dhcp, dhcp_prop)
set_prop(dhcp, pan_result_prop)
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
allow dhcp dhcp_data_file:dir create_dir_perms;
allow dhcp dhcp_data_file:file create_file_perms;
diff --git a/public/display_service_server.te b/public/display_service_server.te
new file mode 100644
index 0000000..c5839fa
--- /dev/null
+++ b/public/display_service_server.te
@@ -0,0 +1 @@
+add_hwservice(display_service_server, fwk_display_hwservice)
diff --git a/dnsmasq.te b/public/dnsmasq.te
similarity index 91%
rename from dnsmasq.te
rename to public/dnsmasq.te
index e5e4198..ccac69a 100644
--- a/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -1,8 +1,9 @@
# DNS, DHCP services
-type dnsmasq, domain, domain_deprecated;
+type dnsmasq, domain;
type dnsmasq_exec, exec_type, file_type;
net_domain(dnsmasq)
+allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
allow dnsmasq self:capability dac_override;
diff --git a/public/domain.te b/public/domain.te
new file mode 100644
index 0000000..8f63624
--- /dev/null
+++ b/public/domain.te
@@ -0,0 +1,1019 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Intra-domain accesses.
+allow domain self:process {
+ fork
+ sigchld
+ sigkill
+ sigstop
+ signull
+ signal
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ getattr
+ setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+
+userdebug_or_eng(`
+ # Same as adbd rules above, except allow su to do the same thing
+ allow domain su:unix_stream_socket connectto;
+ allow domain su:fd use;
+ allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+
+ allow { domain -init } su:binder { call transfer };
+ allow { domain -init } su:fd use;
+
+ # Running something like "pm dump com.android.bluetooth" requires
+ # fifo writes
+ allow domain su:fifo_file { write getattr };
+
+ # allow "gdbserver --attach" to work for su.
+ allow domain su:process sigchld;
+
+ # Allow writing coredumps to /cores/*
+ allow domain coredump_file:file create_file_perms;
+ allow domain coredump_file:dir ra_dir_perms;
+')
+
+# Root fs.
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+allow domain ashmem_device:chr_file rw_file_perms;
+# /dev/binder can be accessed by non-vendor domains and by apps
+allow {
+ coredomain
+ appdomain
+ binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ -hwservicemanager
+} binder_device:chr_file rw_file_perms;
+# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
+not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
+allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain alarm_device:chr_file r_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+get_prop(domain, core_property_type)
+# Let everyone read log properties, so that liblog can avoid sending unloggable
+# messages to logd.
+get_prop(domain, log_property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts_file:file r_file_perms;
+
+allow domain init:key search;
+allow domain vold:key search;
+
+# logd access
+write_logd(domain)
+
+# System file accesses.
+allow domain system_file:dir { search getattr };
+allow domain system_file:file { execute read open getattr };
+allow domain system_file:lnk_file { getattr read };
+
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+ allow domain vendor_file_type:dir { search getattr };
+ allow domain vendor_file_type:file { execute read open getattr };
+ allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow domain same_process_hal_file:file { execute read open getattr };
+
+# Any process can load vndk-sp libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_sp_file:dir r_dir_perms;
+allow domain vndk_sp_file:file { execute read open getattr };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr };
+
+full_treble_only(`
+ # Allow all domains to be able to follow /system/vendor symlink
+ allow domain vendor_file:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
+ allow domain vendor_file:dir { getattr search };
+
+ # Allow reading and executing out of /vendor to all vendor domains
+ allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+ allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
+# read any sysfs symlinks
+allow domain sysfs:lnk_file read;
+
+# libc references /data/misc/zoneinfo for timezone related information
+# This directory is considered to be a VNDK-stable
+r_dir_file(domain, zoneinfo_data_file)
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+r_dir_file(domain, sysfs_usb);
+
+# files under /data.
+not_full_treble(`allow domain system_data_file:dir getattr;')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# /data has the label system_data_file. Vendor components need the search
+# permission on system_data_file for path traversal to /data/vendor.
+allow domain system_data_file:dir search;
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# jemalloc needs to read /proc/sys/vm/overcommit_memory
+allow domain proc_overcommit_memory:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file w_file_perms;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to a whitelist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this whitelist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default whitelist for unix sockets.
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
+ ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
+
+###
+### neverallow rules
+###
+
+# All socket ioctls must be restricted to a whitelist.
+neverallowxperm domain domain:socket_class_set ioctl { 0 };
+
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
+# Do not allow any domain other than init or recovery to create unlabeled files.
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
+
+# Limit device node creation to these whitelisted domains.
+neverallow {
+ domain
+ -kernel
+ -init
+ -ueventd
+ -vold
+} self:capability mknod;
+
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain')
+ -kernel
+ -init
+ -recovery
+ -ueventd
+ -healthd
+ -uncrypt
+ -tee
+} self:capability sys_rawio;
+
+# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
+neverallow * self:memprotect mmap_zero;
+
+# No domain needs mac_override as it is unused by SELinux.
+neverallow * self:capability2 mac_override;
+
+# Only recovery needs mac_admin to set contexts not defined in current policy.
+neverallow { domain -recovery } self:capability2 mac_admin;
+
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow * kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
+
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow * kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
+# Only init, ueventd, shell and system_server should be able to access HW RNG
+neverallow {
+ domain
+ -init
+ -shell # For CTS and is restricted to getattr in shell.te
+ -system_server
+ -ueventd
+} hw_random_device:chr_file *;
+
+# Ensure that all entrypoint executables are in exec_type or postinstall_file.
+neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
+
+# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
+neverallow {
+ domain
+ -shell # For CTS and is restricted to getattr in shell.te
+ -ueventd # Further restricted in ueventd.te
+} kmem_device:chr_file *;
+neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
+
+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+ domain
+ -shell # Shell user should not have any abilities outside of getattr
+ -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init } proc_security:file { append open read write };
+
+# No domain should be allowed to ptrace init.
+neverallow * init:process ptrace;
+
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
+
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+neverallow domain device:chr_file { open read write };
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+
+#
+# Assert that, to the extent possible, we're not loading executable content from
+# outside the rootfs or /system partition except for a few whitelisted domains.
+#
+neverallow {
+ domain
+ -appdomain
+ with_asan(`-asan_extract')
+ -dumpstate
+ -shell
+ userdebug_or_eng(`-su')
+ -system_server
+ -webview_zygote
+ -zygote
+} {
+ file_type
+ -system_file
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
+
+neverallow {
+ domain
+ -appdomain # for oemfs
+ -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
+# Files from cache should never be executed
+neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -appdomain
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
+neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
+
+# Only the init property service should write to /data/property and /dev/__properties__
+neverallow { domain -init } property_data_file:dir no_w_dir_perms;
+neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
+
+# Only recovery should be doing writes to /system & /vendor
+neverallow {
+ domain
+ -recovery
+ with_asan(`-asan_extract')
+} {
+ system_file
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
+
+# Don't allow mounting on top of /system files or directories
+neverallow * exec_type:dir_file_class_set mounton;
+neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
+
+# Nothing should be writing to files in the rootfs.
+neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+
+# Restrict context mounts to specific types marked with
+# the contextmount_type attribute.
+neverallow * {fs_type -contextmount_type}:filesystem relabelto;
+
+# Ensure that context mount types are not writable, to ensure that
+# the write to /system restriction above is not bypassed via context=
+# mount to another type.
+neverallow { domain -recovery } contextmount_type:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Do not allow service_manager add for default service labels.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
+neverallow * default_android_service:service_manager add;
+neverallow * default_android_vndservice:service_manager { add find };
+neverallow * default_android_hwservice:hwservice_manager { add find };
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
+# Require that domains explicitly label unknown properties, and do not allow
+# anyone but init to modify unknown properties.
+neverallow { domain -init } default_prop:property_service set;
+neverallow { domain -init } mmc_prop:property_service set;
+
+# Do not allow reading device's serial number from system properties except form
+# a few whitelisted domains.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -hal_drm
+ -init
+ -mediadrmserver
+ -recovery
+ -shell
+ -system_server
+} serialno_prop:file r_file_perms;
+
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -init
+ -recovery
+ -system_server
+ -shell # Shell is further restricted in shell.te
+ -ueventd # Further restricted in ueventd.te
+} frp_block_device:blk_file no_rw_file_perms;
+
+# The metadata block device is set aside for device encryption and
+# verified boot metadata. It may be reset at will and should not
+# be used by other domains.
+neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
+ { append link rename write open read ioctl lock };
+
+# No domain other than recovery and update_engine can write to system partition(s).
+neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
+
+# No domains other than install_recovery or recovery can write to recovery.
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -init
+ -uncrypt
+ -update_engine
+ -vold
+ -recovery
+ -ueventd
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
+# The service managers are only allowed to access their own device node
+neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+
+# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
+# domain apps need this because Android framework offers many of its services to apps as Binder
+# services.
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } binder_device:chr_file rw_file_perms;
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # restrictions for vendor apps are declared lower down
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } service_manager_type:service_manager find;
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+ -app_api_service
+ -ephemeral_app_api_service
+ -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+ -cameraserver_service
+ -drmserver_service
+ -keystore_service
+ -mediacasserver_service
+ -mediadrmserver_service
+ -mediaextractor_service
+ -mediametrics_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -virtual_touchpad_service
+ -vr_hwc_service
+ -vr_manager_service
+ }:service_manager find;
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } servicemanager:binder { call transfer };
+')
+
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+full_treble_only(`
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+ # Vendor domains are not permitted to initiate communications to core domain sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
+ -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+ });
+
+ # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -netdomain
+ -socket_between_core_and_vendor_violators
+ }, netd);
+
+ # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # appdomain restrictions below
+ -socket_between_core_and_vendor_violators
+ } {
+ coredomain_socket
+ core_data_file_type
+ unlabeled # used only by core domains
+ }:sock_file ~{ append getattr ioctl read write };
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ coredomain_socket
+ unlabeled # used only by core domains
+ core_data_file_type
+ -app_data_file
+ -pdx_endpoint_socket_type # used by VR layer
+ -pdx_channel_socket_type # used by VR layer
+ }:sock_file ~{ append getattr ioctl read write };
+
+ # Core domains are not permitted to create/open sockets owned by vendor domains
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -socket_between_core_and_vendor_violators
+ } {
+ file_type
+ dev_type
+ -coredomain_socket
+ -core_data_file_type
+ -unlabeled
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+ # Limit access to /vendor/app
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:dir { open read getattr search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:{ file lnk_file } r_file_perms;
+
+ # Limit access to /vendor/overlay
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -zygote
+ } vendor_overlay_file:dir { getattr open read search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -zygote
+ } vendor_overlay_file:{ file lnk_file } r_file_perms;
+
+ # Non-vendor domains are not allowed to file execute shell
+ # from vendor
+ neverallow {
+ coredomain
+ -init
+ } vendor_shell_exec:file { execute execute_no_trans };
+
+ # Do not allow vendor components to execute files from system
+ # except for the ones whitelist here.
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_executes_system_violators
+ } {
+ exec_type
+ -vendor_file_type
+ -crash_dump_exec
+ -netutils_wrapper_exec
+ }:file { entrypoint execute execute_no_trans };
+')
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+neverallow {
+ domain
+ -init # TODO: limit init to relabelfrom for files
+ -zygote
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -otapreopt_slot
+} dalvikcache_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ -init
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -zygote
+ -otapreopt_slot
+} dalvikcache_data_file:dir no_w_dir_perms;
+
+# Only system_server should be able to send commands via the zygote socket
+neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } zygote_socket:sock_file write;
+
+neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } webview_zygote_socket:sock_file write;
+
+neverallow {
+ domain
+ -tombstoned
+ -crash_dump
+ -dumpstate
+ -system_server
+
+ # Processes that can't exec crash_dump
+ -mediacodec
+ -mediaextractor
+} tombstoned:unix_stream_socket connectto;
+neverallow {
+ domain
+ -crash_dump
+ -mediacodec
+ -mediaextractor
+} tombstoned_crash_socket:sock_file write;
+neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
+
+# Android does not support System V IPCs.
+#
+# The reason for this is due to the fact that, by design, they lead to global
+# kernel resource leakage.
+#
+# For example, there is no way to automatically release a SysV semaphore
+# allocated in the kernel when:
+#
+# - a buggy or malicious process exits
+# - a non-buggy and non-malicious process crashes or is explicitly killed.
+#
+# Killing processes automatically to make room for new ones is an
+# important part of Android's application lifecycle implementation. This means
+# that, even assuming only non-buggy and non-malicious code, it is very likely
+# that over time, the kernel global tables used to implement SysV IPCs will fill
+# up.
+neverallow * *:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+
+# Nobody should be able to execute su on user builds.
+# On userdebug/eng builds, only dumpstate, shell, and
+# su itself execute su.
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+# The only exceptions are for NDK text relocations associated with
+# https://code.google.com/p/android/issues/detail?id=23203
+# which, long term, need to go away.
+neverallow * {
+ file_type
+ -apk_data_file
+ -app_data_file
+ -asec_public_file
+}:file execmod;
+
+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow * self:process { execstack execheap };
+
+# prohibit non-zygote spawned processes from using shared libraries
+# with text relocations. b/20013628 .
+neverallow { domain -untrusted_app_all } file_type:file execmod;
+
+neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
+
+#
+# Only system_app and system_server should be creating or writing
+# their files. The proper way to share files is to setup
+# type transitions to a more specific type or assigning a type
+# to its parent directory via a file_contexts entry.
+# Example type transition:
+# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
+#
+neverallow {
+ domain
+ -system_server
+ -system_app
+ -init
+ -installd # for relabelfrom and unlink, check for this in explicit neverallow
+ with_asan(`-asan_extract')
+} system_data_file:file no_w_file_perms;
+# do not grant anything greater than r_file_perms and relabelfrom unlink
+# to installd
+neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
+
+# respect system_app sandboxes
+neverallow {
+ domain
+ -appdomain # finer-grained rules for appdomain are listed below
+ -system_server #populate com.android.providers.settings/databases/settings.db.
+ -installd # creation of app sandbox
+} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ untrusted_app_all # finer-grained rules for appdomain are listed below
+ ephemeral_app
+ priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
+
+# Services should respect app sandboxes
+neverallow {
+ domain
+ -appdomain
+ -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+ domain
+ -adbd
+ -init
+ -runas
+ -zygote
+} shell:process { transition dyntransition };
+
+# Only domains spawned from zygote and runas may have the appdomain attribute.
+neverallow { domain -runas -webview_zygote -zygote } {
+ appdomain -shell userdebug_or_eng(`-su') -bluetooth
+}:process { transition dyntransition };
+
+# Minimize read access to shell- or app-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+ domain
+ -appdomain
+ -installd
+ -uncrypt # TODO: see if we can remove
+} app_data_file:lnk_file read;
+
+neverallow {
+ domain
+ -shell
+ userdebug_or_eng(`-uncrypt')
+ -installd
+} shell_data_file:lnk_file read;
+
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-whitelisted domains should
+# not be trusting any content in those directories.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -installd
+ -init
+ -shell
+ -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -init
+ -installd
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir { open search };
+
+# Same as above for /data/local/tmp files. We allow shell files
+# to be passed around by file descriptor, but not directly opened.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -installd
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:file open;
+
+
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ vndservicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
+
+# only service_manager_types can be added to service_manager
+# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
+
+# Prevent assigning non property types to properties
+# TODO - rework this: neverallow * ~property_type:property_service set;
+
+# Domain types should never be assigned to any files other
+# than the /proc/pid files associated with a process. The
+# executable file used to enter a domain should be labeled
+# with its own _exec type, not with the domain type.
+# Conventionally, this looks something like:
+# $ cat mydaemon.te
+# type mydaemon, domain;
+# type mydaemon_exec, exec_type, file_type;
+# init_daemon_domain(mydaemon)
+# $ grep mydaemon file_contexts
+# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
+neverallow * domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+# TODO: fix system_server and dumpstate
+neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+} profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time or
+# during upgrade by recovery.
+neverallow {
+ domain
+ -recovery
+} self:capability setfcap;
+
+# Enforce AT_SECURE for executing crash_dump.
+neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
diff --git a/drmserver.te b/public/drmserver.te
similarity index 80%
rename from drmserver.te
rename to public/drmserver.te
index 9130e0b..f752c13 100644
--- a/drmserver.te
+++ b/public/drmserver.te
@@ -1,8 +1,7 @@
# drmserver - DRM service
-type drmserver, domain, domain_deprecated;
+type drmserver, domain;
type drmserver_exec, exec_type, file_type;
-init_daemon_domain(drmserver)
typeattribute drmserver mlstrustedsubject;
net_domain(drmserver)
@@ -10,8 +9,10 @@
# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system_server)
-binder_call(drmserver, { appdomain autoplay_app })
+binder_call(drmserver, appdomain)
binder_service(drmserver)
+# Inherit or receive open files from system_server.
+allow drmserver system_server:fd use;
# Perform Binder IPC to mediaserver
binder_call(drmserver, mediaserver)
@@ -20,7 +21,7 @@
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver { app_data_file autoplay_data_file}:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr };
r_dir_file(drmserver, efs_file)
@@ -29,9 +30,7 @@
# /data/app/tlcd_sock socket file.
# Clearly, /data/app is the most logical place to create a socket. Not.
allow drmserver apk_data_file:dir rw_dir_perms;
-type_transition drmserver apk_data_file:sock_file drmserver_socket;
allow drmserver drmserver_socket:sock_file create_file_perms;
-allow drmserver tee:unix_stream_socket connectto;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;
@@ -50,7 +49,10 @@
allow drmserver oemfs:dir search;
allow drmserver oemfs:file r_file_perms;
-allow drmserver drmserver_service:service_manager { add find };
+add_service(drmserver, drmserver_service)
allow drmserver permission_service:service_manager find;
selinux_check_access(drmserver)
+
+r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, system_file)
diff --git a/dumpstate.te b/public/dumpstate.te
similarity index 64%
rename from dumpstate.te
rename to public/dumpstate.te
index 2448ea4..4f66ffb 100644
--- a/dumpstate.te
+++ b/public/dumpstate.te
@@ -1,8 +1,7 @@
# dumpstate
-type dumpstate, domain, domain_deprecated, mlstrustedsubject;
+type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;
-init_daemon_domain(dumpstate)
net_domain(dumpstate)
binder_use(dumpstate)
wakelock_use(dumpstate)
@@ -27,6 +26,7 @@
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
allow dumpstate toolbox_exec:file rx_file_perms;
# Create and write into /data/anr/
@@ -50,43 +50,32 @@
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
-allow dumpstate { appdomain autoplay_app system_server }:process signal;
+allow dumpstate { appdomain system_server }:process signal;
# Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in dumpstate/utils.c
allow dumpstate {
+ # This list comes from native_processes_to_dump in dumpstate/utils.c
audioserver
cameraserver
drmserver
inputflinger
- mediacodec
mediadrmserver
mediaextractor
mediaserver
sdcardd
surfaceflinger
+
+ # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_graphics_composer_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
}:process signal;
-# Ask debuggerd for the backtraces of these processes.
-allow dumpstate {
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediacodec
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-}:debuggerd dump_backtrace;
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
-# Vibrate the device after we're done collecting the bugreport
-# /sys/class/timed_output/vibrator/enable
-# TODO: create a new file class, instead of allowing write access to all of /sys
-allow dumpstate sysfs:file w_file_perms;
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
# TODO: added to match above sysfs rule. Remove me?
allow dumpstate sysfs_usb:file w_file_perms;
@@ -99,10 +88,19 @@
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
+
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain autoplay_app netd })
+binder_call(dumpstate, { appdomain netd wificond })
+hal_client_domain(dumpstate, hal_dumpstate)
+hal_client_domain(dumpstate, hal_graphics_allocator)
+# Vibrate the device after we are done collecting the bugreport
+hal_client_domain(dumpstate, hal_vibrator)
+# For passthrough mode:
+allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
@@ -120,10 +118,10 @@
allow dumpstate zygote_exec:file rx_file_perms;
# Dalvik Compiler JIT.
allow dumpstate ashmem_device:chr_file execute;
-allow dumpstate dumpstate_tmpfs:file execute;
allow dumpstate self:process execmem;
# For art.
-allow dumpstate dalvikcache_data_file:file execute;
+allow dumpstate dalvikcache_data_file:dir { search getattr };
+allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
# For Bluetooth
@@ -137,13 +135,17 @@
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
+read_runtime_log_tags(dumpstate)
+
+# Read /proc/net
+allow dumpstate proc_net:file r_file_perms;
# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;
# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read };
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
@@ -161,8 +163,6 @@
userdebug_or_eng(`
allow dumpstate user_profile_data_file:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
- allow dumpstate user_profile_foreign_dex_data_file:dir r_dir_perms;
- allow dumpstate user_profile_foreign_dex_data_file:file r_file_perms;
')
# Access /data/misc/logd
@@ -171,22 +171,45 @@
allow dumpstate misc_logd_file:file r_file_perms;
')
-allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
+allow dumpstate hwservicemanager:hwservice_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
+# dumpstate_options_prop is used to pass extra command-line args.
+set_prop(dumpstate, dumpstate_options_prop)
-# systrace support - allow atrace to run
-allow dumpstate debugfs_tracing:dir r_dir_perms;
-allow dumpstate debugfs_tracing:file rw_file_perms;
-allow dumpstate debugfs_trace_marker:file getattr;
-allow dumpstate atrace_exec:file rx_file_perms;
+# Read device's serial number from system properties
+get_prop(dumpstate, serialno_prop)
+
+# Read state of logging-related properties
+get_prop(dumpstate, device_logging_prop)
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow dumpstate media_rw_data_file:dir getattr;
+allow dumpstate proc_interrupts:file r_file_perms;
+allow dumpstate proc_zoneinfo:file r_file_perms;
+
+# Create a service for talking back to system_server
+add_service(dumpstate, dumpstate_service)
+
+###
+### neverallow rules
+###
+
+# dumpstate has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow dumpstate *:process ptrace;
+
+# only system_server, dumpstate and shell can find the dumpstate service
+neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
+
+# Dumpstate should not be writing to any generically labeled sysfs files.
+# Create a specific label for the file type
+neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
new file mode 100644
index 0000000..dc39a22
--- /dev/null
+++ b/public/ephemeral_app.te
@@ -0,0 +1,14 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+
+type ephemeral_app, domain;
diff --git a/public/file.te b/public/file.te
new file mode 100644
index 0000000..057af41
--- /dev/null
+++ b/public/file.te
@@ -0,0 +1,337 @@
+# Filesystem types
+type labeledfs, fs_type;
+type pipefs, fs_type;
+type sockfs, fs_type;
+type rootfs, fs_type;
+type proc, fs_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type;
+type proc_drop_caches, fs_type;
+type proc_overcommit_memory, fs_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type, sysfs_type;
+type qtaguid_proc, fs_type, mlstrustedobject;
+type proc_bluetooth_writable, fs_type;
+type proc_cpuinfo, fs_type;
+type proc_interrupts, fs_type;
+type proc_iomem, fs_type;
+type proc_meminfo, fs_type;
+type proc_misc, fs_type;
+type proc_modules, fs_type;
+type proc_net, fs_type;
+type proc_perf, fs_type;
+type proc_stat, fs_type;
+type proc_sysrq, fs_type;
+type proc_timer, fs_type;
+type proc_tty_drivers, fs_type;
+type proc_uid_cputime_showstat, fs_type;
+type proc_uid_cputime_removeuid, fs_type;
+type proc_uid_io_stats, fs_type;
+type proc_uid_procstat_set, fs_type;
+type proc_zoneinfo, fs_type;
+type selinuxfs, fs_type, mlstrustedobject;
+type cgroup, fs_type, mlstrustedobject;
+type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_uio, sysfs_type, fs_type;
+type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_leds, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
+type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
+type configfs, fs_type;
+# /sys/devices/system/cpu
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
+# /sys/module/lowmemorykiller
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
+# /sys/module/wlan/parameters/fwpath
+type sysfs_wlan_fwpath, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+
+type sysfs_thermal, sysfs_type, fs_type;
+
+type sysfs_zram, fs_type, sysfs_type;
+type sysfs_zram_uevent, fs_type, sysfs_type;
+type inotify, fs_type, mlstrustedobject;
+type devpts, fs_type, mlstrustedobject;
+type tmpfs, fs_type;
+type shm, fs_type;
+type mqueue, fs_type;
+type fuse, sdcard_type, fs_type, mlstrustedobject;
+type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
+type vfat, sdcard_type, fs_type, mlstrustedobject;
+type debugfs, fs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type;
+type tracing_shell_writable, fs_type, debugfs_type;
+type tracing_shell_writable_debug, fs_type, debugfs_type;
+
+type pstorefs, fs_type;
+type functionfs, fs_type, mlstrustedobject;
+type oemfs, fs_type, contextmount_type;
+type usbfs, fs_type;
+type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, contextmount_type;
+
+# File types
+type unlabeled, file_type;
+
+# Default type for anything under /system.
+type system_file, file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-sp libs. /vendor/lib/vndk-sp
+type vndk_sp_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+
+# Speedup access for trusted applications to the runtime event tags
+type runtime_event_log_tags_file, file_type;
+# Type for /system/bin/logcat.
+type logcat_exec, exec_type, file_type;
+# /cores for coredumps on userdebug / eng builds
+type coredump_file, file_type;
+# Default type for anything under /data.
+type system_data_file, file_type, data_file_type, core_data_file_type;
+# Unencrypted data
+type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
+# /data/.layout_version or other installd-created files that
+# are created in a system_data_file directory.
+type install_data_file, file_type, data_file_type, core_data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type, core_data_file_type;
+# /data/adb - adb debugging files
+type adb_data_file, file_type, data_file_type, core_data_file_type;
+# /data/anr - ANR traces
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/tombstones - core dumps
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/app - user-installed apps
+type apk_data_file, file_type, data_file_type, core_data_file_type;
+type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/app-private - forward-locked apps
+type apk_private_data_file, file_type, data_file_type, core_data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/dalvik-cache
+type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
+# /data/ota
+type ota_data_file, file_type, data_file_type, core_data_file_type;
+# /data/ota_package
+type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/misc/profiles
+type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/misc/profman
+type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
+# /data/resource-cache
+type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
+# /data/local - writable by shell
+type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/property
+type property_data_file, file_type, data_file_type, core_data_file_type;
+# /data/bootchart
+type bootchart_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/heapdump
+type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/nativetest
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system_de/0/ringtones
+type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/preloads
+type preloads_data_file, file_type, data_file_type, core_data_file_type;
+# /data/preloads/media
+type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
+
+# Mount locations managed by vold
+type mnt_media_rw_file, file_type;
+type mnt_user_file, file_type;
+type mnt_expand_file, file_type;
+type storage_file, file_type;
+
+# Label for storage dirs which are just mount stubs
+type mnt_media_rw_stub_file, file_type;
+type storage_stub_file, file_type;
+
+# /postinstall: Mount point used by update_engine to run postinstall.
+type postinstall_mnt_dir, file_type;
+# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
+type postinstall_file, file_type;
+
+# /data/misc subdirectories
+type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type audio_data_file, file_type, data_file_type, core_data_file_type;
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+type audioserver_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
+type bootstat_data_file, file_type, data_file_type, core_data_file_type;
+type boottrace_data_file, file_type, data_file_type, core_data_file_type;
+type camera_data_file, file_type, data_file_type, core_data_file_type;
+type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
+type incident_data_file, file_type, data_file_type, core_data_file_type;
+type keychain_data_file, file_type, data_file_type, core_data_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type media_data_file, file_type, data_file_type, core_data_file_type;
+type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type, core_data_file_type;
+type net_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type reboot_data_file, file_type, data_file_type, core_data_file_type;
+type recovery_data_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type vpn_data_file, file_type, data_file_type, core_data_file_type;
+type wifi_data_file, file_type, data_file_type, core_data_file_type;
+type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
+type vold_data_file, file_type, data_file_type, core_data_file_type;
+type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tee_data_file, file_type, data_file_type;
+type update_engine_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/trace for method traces on userdebug / eng builds
+type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+
+# /data/data subdirectories - app sandboxes
+type app_data_file, file_type, data_file_type, core_data_file_type;
+# /data/data subdirectory for system UID apps.
+type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Compatibility with type name used in Android 4.3 and 4.4.
+# Default type for anything under /cache
+type cache_file, file_type, mlstrustedobject;
+# Type for /cache/backup_stage/* (fd interchange with apps)
+type cache_backup_file, file_type, mlstrustedobject;
+# type for anything under /cache/backup (local transport storage)
+type cache_private_backup_file, file_type;
+# Type for anything under /cache/recovery
+type cache_recovery_file, file_type, mlstrustedobject;
+# Default type for anything under /efs
+type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for shortcut manager icon file.
+type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for user icon file.
+type icon_file, file_type, data_file_type, core_data_file_type;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Elements of asec files (/mnt/asec) that are world readable
+type asec_public_file, file_type, data_file_type, core_data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type, core_data_file_type;
+# /data/backup and /data/secure/backup
+type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# All devices have bluetooth efs files. But they
+# vary per device, so this type is used in per
+# device policy
+type bluetooth_efs_file, file_type;
+# Type for fingerprint template file
+type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+
+# Socket types
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type netd_socket, file_type, coredomain_socket;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
+type rild_socket, file_type;
+type rild_debug_socket, file_type;
+type system_wpa_socket, file_type, coredomain_socket;
+type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type uncrypt_socket, file_type, coredomain_socket;
+type vold_socket, file_type, coredomain_socket;
+type webview_zygote_socket, file_type, coredomain_socket;
+type wpa_socket, file_type;
+type zygote_socket, file_type, coredomain_socket;
+# UART (for GPS) control proc file
+type gps_control, file_type;
+
+# PDX endpoint types
+type pdx_display_dir, pdx_endpoint_dir_type, file_type;
+type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
+type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
+
+pdx_service_socket_types(display_client, pdx_display_dir)
+pdx_service_socket_types(display_manager, pdx_display_dir)
+pdx_service_socket_types(display_screenshot, pdx_display_dir)
+pdx_service_socket_types(display_vsync, pdx_display_dir)
+pdx_service_socket_types(performance_client, pdx_performance_dir)
+pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
+
+# file_contexts files
+type file_contexts_file, file_type;
+
+# mac_permissions file
+type mac_perms_file, file_type;
+
+# property_contexts file
+type property_contexts_file, file_type;
+
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
+# service_contexts file
+type service_contexts_file, file_type;
+
+# hwservice_contexts file
+type hwservice_contexts_file, file_type;
+
+# vndservice_contexts file
+type vndservice_contexts_file, file_type;
+
+# Allow files to be created in their appropriate filesystems.
+allow fs_type self:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
+allow postinstall_file self:filesystem associate;
+
+# It's a bug to assign the file_type attribute and fs_type attribute
+# to any type. Do not allow it.
+#
+# For example, the following is a bug:
+# type apk_data_file, file_type, data_file_type, fs_type;
+# Should be:
+# type apk_data_file, file_type, data_file_type;
+neverallow fs_type file_type:filesystem associate;
diff --git a/fingerprintd.te b/public/fingerprintd.te
similarity index 65%
rename from fingerprintd.te
rename to public/fingerprintd.te
index 1c0ab1c..5dd18a3 100644
--- a/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,12 +1,13 @@
-type fingerprintd, domain, domain_deprecated;
+type fingerprintd, domain;
type fingerprintd_exec, exec_type, file_type;
-# fingerprintd
-init_daemon_domain(fingerprintd)
binder_use(fingerprintd)
+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
# need to find KeyStore and add self
-allow fingerprintd fingerprintd_service:service_manager { add find };
+add_service(fingerprintd, fingerprintd_service)
# allow HAL module to read dir contents
allow fingerprintd fingerprintd_data_file:file { create_file_perms };
@@ -21,3 +22,7 @@
# For permissions checking
binder_call(fingerprintd, system_server);
allow fingerprintd permission_service:service_manager find;
+
+r_dir_file(fingerprintd, cgroup)
+r_dir_file(fingerprintd, sysfs_type)
+allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/fsck.te b/public/fsck.te
similarity index 63%
rename from fsck.te
rename to public/fsck.te
index d5a6db1..b682a87 100644
--- a/fsck.te
+++ b/public/fsck.te
@@ -1,9 +1,7 @@
# Any fsck program run by init
-type fsck, domain, domain_deprecated;
+type fsck, domain;
type fsck_exec, exec_type, file_type;
-init_daemon_domain(fsck)
-
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow fsck tmpfs:chr_file { read write ioctl };
@@ -21,9 +19,19 @@
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
-# fsck performs a stat() on swap to verify that it is a valid
-# swap device before setting the EXT2_MF_SWAP mount flag.
-allow fsck swap_block_device:blk_file getattr;
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
+
+r_dir_file(fsck, proc)
+allow fsck rootfs:dir r_dir_perms;
###
### neverallow rules
diff --git a/fsck_untrusted.te b/public/fsck_untrusted.te
similarity index 61%
rename from fsck_untrusted.te
rename to public/fsck_untrusted.te
index 00faa20..e2aceb8 100644
--- a/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -1,5 +1,5 @@
# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain, domain_deprecated;
+type fsck_untrusted, domain;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
@@ -12,6 +12,19 @@
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;
+r_dir_file(fsck_untrusted, proc)
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
###
### neverallow rules
###
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
new file mode 100644
index 0000000..ff36956
--- /dev/null
+++ b/public/gatekeeperd.te
@@ -0,0 +1,42 @@
+type gatekeeperd, domain;
+type gatekeeperd_exec, exec_type, file_type;
+
+# gatekeeperd
+binder_service(gatekeeperd)
+binder_use(gatekeeperd)
+
+### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
+### These rules should eventually be granted only when needed.
+allow gatekeeperd tee_device:chr_file rw_file_perms;
+allow gatekeeperd ion_device:chr_file r_file_perms;
+# Load HAL implementation
+allow gatekeeperd system_file:dir r_dir_perms;
+###
+
+### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
+### These rules should eventually be granted only when needed.
+hal_client_domain(gatekeeperd, hal_gatekeeper)
+###
+
+# need to find KeyStore and add self
+add_service(gatekeeperd, gatekeeper_service)
+
+# Need to add auth tokens to KeyStore
+use_keystore(gatekeeperd)
+allow gatekeeperd keystore:keystore_key { add_auth };
+
+# For permissions checking
+allow gatekeeperd system_server:binder call;
+allow gatekeeperd permission_service:service_manager find;
+
+# For parent user ID lookup
+allow gatekeeperd user_service:service_manager find;
+
+# for SID file access
+allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
+allow gatekeeperd gatekeeper_data_file:file create_file_perms;
+
+# For hardware properties retrieval
+allow gatekeeperd hardware_properties_service:service_manager find;
+
+r_dir_file(gatekeeperd, cgroup)
diff --git a/global_macros b/public/global_macros
similarity index 72%
rename from global_macros
rename to public/global_macros
index 0534e46..a61ffbc 100644
--- a/global_macros
+++ b/public/global_macros
@@ -8,7 +8,7 @@
define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
define(`dir_file_class_set', `{ dir file_class_set }')
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket }')
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
@@ -41,6 +41,8 @@
#####################################
# Common socket permission sets.
define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
new file mode 100644
index 0000000..646cebd
--- /dev/null
+++ b/public/hal_allocator.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_allocator_client, hal_allocator_server)
+
+add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_audio.te b/public/hal_audio.te
new file mode 100644
index 0000000..33330bf
--- /dev/null
+++ b/public/hal_audio.te
@@ -0,0 +1,38 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
+
+add_hwservice(hal_audio_server, hal_audio_hwservice)
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+
+allow hal_audio ion_device:chr_file r_file_perms;
+
+userdebug_or_eng(`
+ # used for pcm capture for debug.
+ allow hal_audio audiohal_data_file:dir create_dir_perms;
+ allow hal_audio audiohal_data_file:file create_file_perms;
+')
+
+r_dir_file(hal_audio, proc)
+allow hal_audio audio_device:dir r_dir_perms;
+allow hal_audio audio_device:chr_file rw_file_perms;
+
+# Needed to provide debug dump output via dumpsys' pipes.
+allow hal_audio shell:fd use;
+allow hal_audio shell:fifo_file write;
+allow hal_audio dumpstate:fd use;
+allow hal_audio dumpstate:fifo_file write;
+
+###
+### neverallow rules
+###
+
+# Should never execute any executable without a domain transition
+neverallow hal_audio { file_type fs_type }:file execute_no_trans;
+
+# Should never need network access.
+# Disallow network sockets.
+neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only audio HAL may directly access the audio hardware
+neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
new file mode 100644
index 0000000..2394e2e
--- /dev/null
+++ b/public/hal_bluetooth.te
@@ -0,0 +1,30 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_bluetooth_client, hal_bluetooth_server)
+binder_call(hal_bluetooth_server, hal_bluetooth_client)
+
+add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
+allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+
+wakelock_use(hal_bluetooth);
+
+# The HAL toggles rfkill to power the chip off/on.
+allow hal_bluetooth self:capability net_admin;
+
+# bluetooth factory file accesses.
+r_dir_file(hal_bluetooth, bluetooth_efs_file)
+
+allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
+
+# sysfs access.
+r_dir_file(hal_bluetooth, sysfs_type)
+allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth self:capability2 wake_alarm;
+
+# Allow write access to bluetooth-specific properties
+set_prop(hal_bluetooth, bluetooth_prop)
+
+# /proc access (bluesleep etc.).
+allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_bluetooth self:capability sys_nice;
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
new file mode 100644
index 0000000..8b240b1
--- /dev/null
+++ b/public/hal_bootctl.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_bootctl_client, hal_bootctl_server)
+binder_call(hal_bootctl_server, hal_bootctl_client)
+
+add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
+allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
diff --git a/public/hal_camera.te b/public/hal_camera.te
new file mode 100644
index 0000000..413a057
--- /dev/null
+++ b/public/hal_camera.te
@@ -0,0 +1,36 @@
+# HwBinder IPC from clients to server and callbacks
+binder_call(hal_camera_client, hal_camera_server)
+binder_call(hal_camera_server, hal_camera_client)
+
+add_hwservice(hal_camera_server, hal_camera_hwservice)
+allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
+
+# access /data/misc/camera
+allow hal_camera camera_data_file:dir create_dir_perms;
+allow hal_camera camera_data_file:file create_file_perms;
+
+allow hal_camera video_device:dir r_dir_perms;
+allow hal_camera video_device:chr_file rw_file_perms;
+allow hal_camera camera_device:chr_file rw_file_perms;
+allow hal_camera ion_device:chr_file rw_file_perms;
+# Both the client and the server need to use the graphics allocator
+allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
+
+# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
+allow hal_camera { appdomain -isolated_app }:fd use;
+allow hal_camera surfaceflinger:fd use;
+allow hal_camera hal_allocator_server:fd use;
+
+###
+### neverallow rules
+###
+
+# hal_camera should never execute any executable without a
+# domain transition
+neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+
+# hal_camera should never need network access. Disallow network sockets.
+neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only camera HAL may directly access the camera hardware
+neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
new file mode 100644
index 0000000..4bf6cfd
--- /dev/null
+++ b/public/hal_configstore.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_configstore_client, hal_configstore_server)
+
+add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
+# As opposed to the rules of most other HALs, the different services exposed by
+# this HAL should be restricted to different clients. Thus, the allow rules for
+# clients are defined in the .te files of the clients.
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
new file mode 100644
index 0000000..f11bfc8
--- /dev/null
+++ b/public/hal_contexthub.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
+allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/public/hal_drm.te b/public/hal_drm.te
new file mode 100644
index 0000000..5a6bf5c
--- /dev/null
+++ b/public/hal_drm.te
@@ -0,0 +1,60 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_drm_client, hal_drm_server)
+binder_call(hal_drm_server, hal_drm_client)
+
+add_hwservice(hal_drm_server, hal_drm_hwservice)
+allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
+# Required by Widevine DRM (b/22990512)
+allow hal_drm self:process execmem;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_drm, serialno_prop)
+
+# System file accesses
+allow hal_drm system_file:dir r_dir_perms;
+allow hal_drm system_file:file r_file_perms;
+allow hal_drm system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data
+allow hal_drm system_data_file:dir { search getattr };
+allow hal_drm system_data_file:file { getattr read };
+allow hal_drm system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems
+r_dir_file(hal_drm, cgroup)
+allow hal_drm cgroup:dir { search write };
+allow hal_drm cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_drm ion_device:chr_file rw_file_perms;
+allow hal_drm hal_graphics_allocator:fd use;
+
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
+# Allow access to app_data and media_data_files
+allow hal_drm media_data_file:dir create_dir_perms;
+allow hal_drm media_data_file:file create_file_perms;
+allow hal_drm media_data_file:file { getattr read };
+
+allow hal_drm sysfs:file r_file_perms;
+
+allow hal_drm tee_device:chr_file rw_file_perms;
+
+# only allow unprivileged socket ioctl commands
+allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# hal_drm should never execute any executable without a
+# domain transition
+neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
new file mode 100644
index 0000000..2853567
--- /dev/null
+++ b/public/hal_dumpstate.te
@@ -0,0 +1,11 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_dumpstate_client, hal_dumpstate_server)
+binder_call(hal_dumpstate_server, hal_dumpstate_client)
+
+add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
+allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+
+# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
+allow hal_dumpstate shell_data_file:file write;
+# allow reading /proc/interrupts for all hal impls
+allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
new file mode 100644
index 0000000..bef9f55
--- /dev/null
+++ b/public/hal_fingerprint.te
@@ -0,0 +1,18 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_fingerprint_client, hal_fingerprint_server)
+binder_call(hal_fingerprint_server, hal_fingerprint_client)
+
+add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
+allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+
+# allow HAL module to read dir contents
+allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
+
+# allow HAL module to read/write/unlink contents of this dir
+allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
+
+# For memory allocation
+allow hal_fingerprint ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
new file mode 100644
index 0000000..123acf5
--- /dev/null
+++ b/public/hal_gatekeeper.te
@@ -0,0 +1,8 @@
+binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
+
+add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
+allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+
+# TEE access.
+allow hal_gatekeeper tee_device:chr_file rw_file_perms;
+allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
new file mode 100644
index 0000000..b59cd1d
--- /dev/null
+++ b/public/hal_gnss.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+add_hwservice(hal_gnss_server, hal_gnss_hwservice)
+allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
new file mode 100644
index 0000000..f56e8f6
--- /dev/null
+++ b/public/hal_graphics_allocator.te
@@ -0,0 +1,13 @@
+# HwBinder IPC from client to server
+binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+
+add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# GPU device access
+allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
+allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_graphics_allocator self:capability sys_nice;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
new file mode 100644
index 0000000..287037c
--- /dev/null
+++ b/public/hal_graphics_composer.te
@@ -0,0 +1,26 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+
+add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
+allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
+
+# Coordinate with hal_graphics_mapper
+allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# GPU device access
+allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer hal_graphics_allocator:fd use;
+
+# Access /dev/graphics/fb0.
+allow hal_graphics_composer graphics_device:dir search;
+allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
+
+# Fences
+allow hal_graphics_composer system_server:fd use;
+allow hal_graphics_composer bootanim:fd use;
+allow hal_graphics_composer appdomain:fd use;
+
+# allow self to set SCHED_FIFO
+allow hal_graphics_composer self:capability sys_nice;
diff --git a/public/hal_health.te b/public/hal_health.te
new file mode 100644
index 0000000..c19c5f1
--- /dev/null
+++ b/public/hal_health.te
@@ -0,0 +1,11 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+add_hwservice(hal_health_server, hal_health_hwservice)
+allow hal_health_client hal_health_hwservice:hwservice_manager find;
+
+# Read access to system files for HALs in
+# /{system,vendor,odm}/lib[64]/hw/ in order
+# to be able to open the hal implementation .so files
+r_dir_file(hal_health, system_file)
diff --git a/public/hal_ir.te b/public/hal_ir.te
new file mode 100644
index 0000000..b1bfdd8
--- /dev/null
+++ b/public/hal_ir.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+add_hwservice(hal_ir_server, hal_ir_hwservice)
+allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
new file mode 100644
index 0000000..dc5f6d0
--- /dev/null
+++ b/public/hal_keymaster.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_keymaster_client, hal_keymaster_server)
+
+add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
+allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+
+allow hal_keymaster tee_device:chr_file rw_file_perms;
+allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
new file mode 100644
index 0000000..5b93dd1
--- /dev/null
+++ b/public/hal_light.te
@@ -0,0 +1,10 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+add_hwservice(hal_light_server, hal_light_hwservice)
+allow hal_light_client hal_light_hwservice:hwservice_manager find;
+
+allow hal_light sysfs_leds:lnk_file read;
+allow hal_light sysfs_leds:file rw_file_perms;
+allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
new file mode 100644
index 0000000..b2cc9cd
--- /dev/null
+++ b/public/hal_memtrack.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
+allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
new file mode 100644
index 0000000..feadcda
--- /dev/null
+++ b/public/hal_neverallows.te
@@ -0,0 +1,51 @@
+# only HALs responsible for network hardware should have privileged
+# network capabilities
+neverallow {
+ halserverdomain
+ -hal_bluetooth_server
+ -hal_wifi_server
+ -hal_wifi_supplicant_server
+ -rild
+} self:capability { net_admin net_raw };
+
+# Unless a HAL's job is to manage network hardware, it should not be
+# using network sockets.
+neverallow {
+ halserverdomain
+ -hal_wifi_server
+ -hal_wifi_supplicant_server
+ -rild
+} domain:{ tcp_socket udp_socket rawip_socket } *;
+
+###
+# HALs are defined as an attribute and so a given domain could hypothetically
+# have multiple HALs in it (or even all of them) with the subsequent policy of
+# the domain comprised of the union of all the HALs.
+#
+# This is a problem because
+# 1) Security sensitive components should only be accessed by specific HALs.
+# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
+# the platform.
+# 3) The platform cannot reason about defense in depth if there are
+# monolithic domains etc.
+#
+# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
+# its OK for them to share a process its not OK with them to share processes
+# with other hals.
+#
+# The following neverallow rules, in conjuntion with CTS tests, assert that
+# these security principles are adhered to.
+#
+# Do not allow a hal to exec another process without a domain transition.
+# TODO remove exemptions.
+neverallow {
+ halserverdomain
+ -hal_dumpstate_server
+ -rild
+} { file_type fs_type }:file execute_no_trans;
+# Do not allow a process other than init to transition into a HAL domain.
+neverallow { domain -init } halserverdomain:process transition;
+# Only allow transitioning to a domain by running its executable. Do not
+# allow transitioning into a HAL domain by use of seclabel in an
+# init.*.rc script.
+neverallow * halserverdomain:process dyntransition;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
new file mode 100644
index 0000000..a027c48
--- /dev/null
+++ b/public/hal_nfc.te
@@ -0,0 +1,16 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_nfc_client, hal_nfc_server)
+binder_call(hal_nfc_server, hal_nfc_client)
+
+add_hwservice(hal_nfc_server, hal_nfc_hwservice)
+allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+
+# Set NFC properties (used by bcm2079x HAL).
+set_prop(hal_nfc, nfc_prop)
+
+# NFC device access.
+allow hal_nfc nfc_device:chr_file rw_file_perms;
+
+# Data file accesses.
+allow hal_nfc nfc_data_file:dir create_dir_perms;
+allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
new file mode 100644
index 0000000..dcbb964
--- /dev/null
+++ b/public/hal_oemlock.te
@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server
+# binder_call(hal_oemlock_client, hal_oemlock_server)
diff --git a/public/hal_power.te b/public/hal_power.te
new file mode 100644
index 0000000..fcba3d2
--- /dev/null
+++ b/public/hal_power.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+add_hwservice(hal_power_server, hal_power_hwservice)
+allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
new file mode 100644
index 0000000..068c93b
--- /dev/null
+++ b/public/hal_sensors.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server
+binder_call(hal_sensors_client, hal_sensors_server)
+
+add_hwservice(hal_sensors_server, hal_sensors_hwservice)
+allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+
+# Allow sensor hals to access ashmem memory allocated by apps
+allow hal_sensors { appdomain -isolated_app }:fd use;
+
+# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
+# fd is passed in from framework sensorservice HAL.
+allow hal_sensors hal_allocator:fd use;
+
+# allow to run with real-time scheduling policy
+allow hal_sensors self:capability sys_nice;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
new file mode 100644
index 0000000..41cfd4b
--- /dev/null
+++ b/public/hal_telephony.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+add_hwservice(hal_telephony_server, hal_telephony_hwservice)
+allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
new file mode 100644
index 0000000..b1764f1
--- /dev/null
+++ b/public/hal_thermal.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+add_hwservice(hal_thermal_server, hal_thermal_hwservice)
+allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
new file mode 100644
index 0000000..7719cae
--- /dev/null
+++ b/public/hal_tv_cec.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_cec_client, hal_tv_cec_server)
+binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
+allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
new file mode 100644
index 0000000..31a0067
--- /dev/null
+++ b/public/hal_tv_input.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_input_client, hal_tv_input_server)
+binder_call(hal_tv_input_server, hal_tv_input_client)
+
+add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
+allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/public/hal_usb.te b/public/hal_usb.te
new file mode 100644
index 0000000..9cfd516
--- /dev/null
+++ b/public/hal_usb.te
@@ -0,0 +1,18 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+add_hwservice(hal_usb_server, hal_usb_hwservice)
+allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
+
+allow hal_usb self:netlink_kobject_uevent_socket create;
+allow hal_usb self:netlink_kobject_uevent_socket setopt;
+allow hal_usb self:netlink_kobject_uevent_socket bind;
+allow hal_usb self:netlink_kobject_uevent_socket read;
+allow hal_usb sysfs:dir open;
+allow hal_usb sysfs:dir read;
+allow hal_usb sysfs:file read;
+allow hal_usb sysfs:file open;
+allow hal_usb sysfs:file write;
+allow hal_usb sysfs:file getattr;
+
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
new file mode 100644
index 0000000..c8612d7
--- /dev/null
+++ b/public/hal_vibrator.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+
+add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
+allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+
+# vibrator sysfs rw access
+allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
new file mode 100644
index 0000000..3cb392d
--- /dev/null
+++ b/public/hal_vr.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+add_hwservice(hal_vr_server, hal_vr_hwservice)
+allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
new file mode 100644
index 0000000..1910cf1
--- /dev/null
+++ b/public/hal_weaver.te
@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server
+# binder_call(hal_weaver_client, hal_weaver_server)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
new file mode 100644
index 0000000..5e0b9bc
--- /dev/null
+++ b/public/hal_wifi.te
@@ -0,0 +1,23 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_client, hal_wifi_server)
+binder_call(hal_wifi_server, hal_wifi_client)
+
+add_hwservice(hal_wifi_server, hal_wifi_hwservice)
+allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+
+r_dir_file(hal_wifi, proc_net)
+r_dir_file(hal_wifi, sysfs_type)
+
+set_prop(hal_wifi, wifi_prop)
+
+# allow hal wifi set interfaces up and down
+allow hal_wifi self:udp_socket create_socket_perms;
+allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
+
+allow hal_wifi self:capability { net_admin net_raw };
+# allow hal_wifi to speak to nl80211 in the kernel
+allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
+# hal_wifi writes firmware paths to this file.
+allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
new file mode 100644
index 0000000..dac5171
--- /dev/null
+++ b/public/hal_wifi_offload.te
@@ -0,0 +1,6 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
+binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
+
+r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
new file mode 100644
index 0000000..0f2540e
--- /dev/null
+++ b/public/hal_wifi_supplicant.te
@@ -0,0 +1,41 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
+binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+
+add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
+allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(hal_wifi_supplicant, sysfs_type)
+r_dir_file(hal_wifi_supplicant, proc_net)
+
+allow hal_wifi_supplicant kernel:system module_request;
+allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
+allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:packet_socket create_socket_perms;
+allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
+
+# Create a socket for receiving info from wpa
+allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
+
+# Allow wpa_cli to work. wpa_cli creates a socket in
+# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
+userdebug_or_eng(`
+ unix_socket_send(hal_wifi_supplicant, wpa, su)
+')
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/healthd.te b/public/healthd.te
similarity index 71%
rename from healthd.te
rename to public/healthd.te
index 2658ef8..c0a7bec 100644
--- a/healthd.te
+++ b/public/healthd.te
@@ -1,19 +1,30 @@
-# healthd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type healthd, domain, domain_deprecated;
+# healthd - battery/charger monitoring service daemon
+type healthd, domain;
+type healthd_exec, exec_type, file_type;
# Write to /dev/kmsg
allow healthd kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(healthd, sysfs)
+r_dir_file(healthd, sysfs_type)
+r_dir_file(healthd, rootfs)
+r_dir_file(healthd, cgroup)
-allow healthd self:capability { net_admin sys_tty_config };
+# Read access to system files for passthrough HALs in
+# /{system,vendor,odm}/lib[64]/hw/
+r_dir_file(healthd, system_file)
+
+allow healthd self:capability { sys_tty_config };
+allow healthd self:capability sys_boot;
+
+allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
wakelock_use(healthd)
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
+
binder_use(healthd)
binder_service(healthd)
binder_call(healthd, system_server)
+hal_client_domain(healthd, hal_health)
# Write to state file.
# TODO: Split into a separate type?
@@ -24,6 +35,8 @@
allow healthd sysfs_batteryinfo:file r_file_perms;
+r_dir_file(healthd, sysfs_type)
+
###
### healthd: charger mode
###
@@ -42,9 +55,8 @@
allow healthd ashmem_device:chr_file execute;
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
-allow healthd self:capability sys_boot;
-allow healthd batteryproperties_service:service_manager { add find };
+add_service(healthd, batteryproperties_service)
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
diff --git a/public/hwservice.te b/public/hwservice.te
new file mode 100644
index 0000000..ca99105
--- /dev/null
+++ b/public/hwservice.te
@@ -0,0 +1,43 @@
+type default_android_hwservice, hwservice_manager_type;
+type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_audio_hwservice, hwservice_manager_type;
+type hal_bluetooth_hwservice, hwservice_manager_type;
+type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_camera_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_contexthub_hwservice, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_fingerprint_hwservice, hwservice_manager_type;
+type hal_gatekeeper_hwservice, hwservice_manager_type;
+type hal_gnss_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_composer_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_health_hwservice, hwservice_manager_type;
+type hal_ir_hwservice, hwservice_manager_type;
+type hal_keymaster_hwservice, hwservice_manager_type;
+type hal_light_hwservice, hwservice_manager_type;
+type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_nfc_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_power_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type;
+type hal_telephony_hwservice, hwservice_manager_type;
+type hal_thermal_hwservice, hwservice_manager_type;
+type hal_tv_cec_hwservice, hwservice_manager_type;
+type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_usb_hwservice, hwservice_manager_type;
+type hal_vibrator_hwservice, hwservice_manager_type;
+type hal_vr_hwservice, hwservice_manager_type;
+type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
new file mode 100644
index 0000000..1ffd2a6
--- /dev/null
+++ b/public/hwservicemanager.te
@@ -0,0 +1,22 @@
+# hwservicemanager - the Binder context manager for HAL services
+type hwservicemanager, domain, mlstrustedsubject;
+type hwservicemanager_exec, exec_type, file_type;
+
+# Note that we do not use the binder_* macros here.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
+allow hwservicemanager self:binder set_context_mgr;
+
+set_prop(hwservicemanager, hwservicemanager_prop)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
diff --git a/idmap.te b/public/idmap.te
similarity index 62%
rename from idmap.te
rename to public/idmap.te
index c1b4d0f..1c32f8f 100644
--- a/idmap.te
+++ b/public/idmap.te
@@ -1,5 +1,5 @@
# idmap, when executed by installd
-type idmap, domain, domain_deprecated;
+type idmap, domain;
type idmap_exec, exec_type, file_type;
# Use open file to /data/resource-cache file inherited from installd.
@@ -8,3 +8,10 @@
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
+allow idmap apk_data_file:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
diff --git a/public/incident.te b/public/incident.te
new file mode 100644
index 0000000..ce57bf6
--- /dev/null
+++ b/public/incident.te
@@ -0,0 +1,8 @@
+# The incident command is used to call into the incidentd service to
+# take an incident report (binary, shared bugreport), download incident
+# reports that have already been taken, and monitor for new ones.
+# It doesn't do anything else.
+
+# incident
+type incident, domain;
+
diff --git a/public/incidentd.te b/public/incidentd.te
new file mode 100644
index 0000000..b03249c
--- /dev/null
+++ b/public/incidentd.te
@@ -0,0 +1,3 @@
+# incidentd
+type incidentd, domain;
+
diff --git a/init.te b/public/init.te
similarity index 64%
rename from init.te
rename to public/init.te
index 9bc78d1..6d43ef4 100644
--- a/init.te
+++ b/public/init.te
@@ -1,22 +1,38 @@
# init is its own domain.
-type init, domain, domain_deprecated, mlstrustedsubject;
-tmpfs_domain(init)
+type init, domain, mlstrustedsubject;
# The init domain is entered by execing init.
type init_exec, exec_type, file_type;
# /dev/__null__ node created by init.
-allow init tmpfs:chr_file create_file_perms;
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
#
# init direct restorecon calls.
#
-# /dev/socket
-allow init { device socket_device }:dir relabelto;
+# /dev/kmsg
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { write relabelto };
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { create_file_perms relabelto };
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto };
+# /dev/socket
+allow init { device socket_device }:dir relabelto;
+# /dev/random, /dev/urandom
+allow init random_device:chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+allow init system_block_device:{ blk_file lnk_file } relabelto;
# setrlimit
allow init self:capability sys_resource;
@@ -44,7 +60,7 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
@@ -59,6 +75,7 @@
allow init tmpfs:dir create_dir_perms;
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
+r_dir_file(init, cgroup)
allow init cpuctl_device:dir { create mounton };
# /config
@@ -102,40 +119,128 @@
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow init self:capability { chown fowner fsetid };
-allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -misc_logd_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -app_data_file
+ -runtime_event_log_tags_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init cache_file:lnk_file r_file_perms;
+
+allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init debugfs_tracing:file w_file_perms;
+allow init tracing_shell_writable:file w_file_perms;
+
+# Setup and control wifi event tracing (see wifi-events.rc)
+allow init debugfs_tracing_instances:dir create_dir_perms;
+allow init debugfs_tracing_instances:file w_file_perms;
+allow init debugfs_wifi_tracing:file w_file_perms;
# chown/chmod on pseudo files.
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
+# init should not be able to read or open generic devices
+# TODO: auditing to see if this can be deleted entirely
+allow init {
+ dev_type
+ -kmem_device
+ -port_device
+ -device
+ -vndbinder_device
+ }:chr_file { read open };
+auditallow init {
+ dev_type
+ -alarm_device
+ -ashmem_device
+ -binder_device
+ -console_device
+ -device
+ -devpts
+ -dm_device
+ -hwbinder_device
+ -hw_random_device
+ -keychord_device
+ -kmem_device
+ -kmsg_device
+ -null_device
+ -owntty_device
+ -port_device
+ -ptmx_device
+ -random_device
+ -zero_device
+}:chr_file { read open };
+
# chown/chmod on devices.
-allow init { dev_type -kmem_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file setattr;
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-# Create /data/security from init.rc post-fs-data.
-allow init security_file:dir { create setattr };
-
-# Reload policy upon setprop selinux.reload_policy 1.
-# Note: this requires the following allow rule
-# allow init kernel:security load_policy;
-# which can be configured on a device-by-device basis if needed.
-r_dir_file(init, security_file)
-
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
@@ -146,44 +251,32 @@
allow init proc_security:file rw_file_perms;
# Write to /proc/sys/kernel/panic_on_oops.
+r_dir_file(init, proc)
allow init proc:file w_file_perms;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(init, proc_net)
allow init proc_net:file w_file_perms;
allow init self:capability net_admin;
# Write to /proc/sysrq-trigger.
allow init proc_sysrq:file w_file_perms;
+# Read /proc/stat for bootchart.
+allow init proc_stat:file r_file_perms;
+
# Reboot.
allow init self:capability sys_boot;
# Write to sysfs nodes.
allow init sysfs_type:dir r_dir_perms;
-allow init sysfs_type:file w_file_perms;
-
-# disksize
-allow init sysfs_zram:file getattr;
-
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, adbd)
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-recovery_only(`
- domain_trans(init, rootfs, recovery)
-')
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, watchdogd)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
-userdebug_or_eng(`
- domain_auto_trans(init, logcat_exec, logd)
-')
+allow init sysfs_type:lnk_file read;
+allow init sysfs_type:file rw_file_perms;
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { open create read getattr setattr search };
-allow init misc_logd_file:file { getattr };
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
+allow init misc_logd_file:file { open create getattr setattr write };
# Support "adb shell stop"
allow init self:capability kill;
@@ -203,8 +296,8 @@
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
-# Set UID and GID for services.
-allow init self:capability { setuid setgid };
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:capability { setuid setgid setpcap };
# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
@@ -217,6 +310,12 @@
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
# Perform SELinux access checks on setting properties.
selinux_check_access(init)
@@ -234,8 +333,16 @@
# Set any property.
allow init property_type:property_service set;
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:capability audit_write;
+
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
allow init self:capability net_raw;
# This line seems suspect, as it should not really need to
@@ -256,14 +363,9 @@
# only ever accessed by init.
allow init device:file create_file_perms;
-# Access character devices without a specific type,
-# e.g. /dev/keychord.
-# TODO: Move these devices into their own type unless they
-# are only ever accessed by init.
-allow init device:chr_file { rw_file_perms setattr };
-
# keychord configuration
allow init self:capability sys_tty_config;
+allow init keychord_device:chr_file rw_file_perms;
# Access device mapper for setting up dm-verity
allow init dm_device:chr_file rw_file_perms;
@@ -284,19 +386,32 @@
# Allow init to create /data/unencrypted
allow init unencrypted_data_file:dir create_dir_perms;
+# Allow init to write to /proc/sys/vm/overcommit_memory
+allow init proc_overcommit_memory:file { write };
+
unix_socket_connect(init, vold, vold)
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
+r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
+allow init proc_meminfo:file r_file_perms;
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;
+
###
### neverallow rules
###
-# The init domain is only entered via setcon from the kernel domain,
-# never via an exec-based transition.
+# The init domain is only entered via an exec based transition from the
+# kernel domain, never via setcon().
neverallow domain init:process dyntransition;
-neverallow { domain -kernel} init:process transition;
+neverallow { domain -kernel } init:process transition;
neverallow init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
diff --git a/inputflinger.te b/public/inputflinger.te
similarity index 66%
rename from inputflinger.te
rename to public/inputflinger.te
index 324f3f6..e5f12a0 100644
--- a/inputflinger.te
+++ b/public/inputflinger.te
@@ -1,8 +1,7 @@
# inputflinger
-type inputflinger, domain, domain_deprecated;
+type inputflinger, domain;
type inputflinger_exec, exec_type, file_type;
-init_daemon_domain(inputflinger)
binder_use(inputflinger)
binder_service(inputflinger)
@@ -10,6 +9,8 @@
wakelock_use(inputflinger)
-allow inputflinger inputflinger_service:service_manager { add find };
+add_service(inputflinger, inputflinger_service)
allow inputflinger input_device:dir r_dir_perms;
allow inputflinger input_device:chr_file rw_file_perms;
+
+r_dir_file(inputflinger, cgroup)
diff --git a/install_recovery.te b/public/install_recovery.te
similarity index 67%
rename from install_recovery.te
rename to public/install_recovery.te
index 1c47236..2115663 100644
--- a/install_recovery.te
+++ b/public/install_recovery.te
@@ -1,9 +1,7 @@
# service flash_recovery in init.rc
-type install_recovery, domain, domain_deprecated;
+type install_recovery, domain;
type install_recovery_exec, exec_type, file_type;
-init_daemon_domain(install_recovery)
-
allow install_recovery self:capability dac_override;
# /system/bin/install-recovery.sh is a shell script.
@@ -12,6 +10,7 @@
# Execute /system/bin/applypatch
allow install_recovery system_file:file rx_file_perms;
+not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
allow install_recovery toolbox_exec:file rx_file_perms;
@@ -21,11 +20,8 @@
allow install_recovery recovery_block_device:blk_file rw_file_perms;
# Create and delete /cache/saved.file
-allow install_recovery { cache_file cache_recovery_file }:dir rw_dir_perms;
-allow install_recovery { cache_file cache_recovery_file }:file create_file_perms;
-
-auditallow install_recovery cache_recovery_file:dir rw_dir_perms;
-auditallow install_recovery cache_recovery_file:file create_file_perms;
+allow install_recovery cache_file:dir rw_dir_perms;
+allow install_recovery cache_file:file create_file_perms;
# Write to /proc/sys/vm/drop_caches
allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/installd.te b/public/installd.te
similarity index 65%
rename from installd.te
rename to public/installd.te
index ab0aadc..939a481 100644
--- a/installd.te
+++ b/public/installd.te
@@ -1,10 +1,8 @@
# installer daemon
-type installd, domain, domain_deprecated;
+type installd, domain;
type installd_exec, exec_type, file_type;
-
-init_daemon_domain(installd)
typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
@@ -13,7 +11,7 @@
# Allow movement of APK files between volumes
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create read unlink };
+allow installd apk_data_file:lnk_file { create r_file_perms unlink };
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
@@ -21,11 +19,22 @@
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
+allow installd cgroup:{ file lnk_file } create_file_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(installd)
+
+r_dir_file(installd, rootfs)
+# Scan through APKs in /system/app and /system/priv-app
+r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
+# Scan through Runtime Resource Overlay APKs in /vendor/overlay
+r_dir_file(installd, vendor_overlay_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
@@ -45,6 +54,12 @@
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;
+# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd tmpfs:dir r_dir_perms;
+allow installd storage_file:dir search;
+allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
+allow installd sdcardfs:file { getattr unlink };
+
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;
@@ -52,26 +67,17 @@
allow installd keychain_data_file:file {r_file_perms unlink};
# Create /data/.layout_version.* file
-type_transition installd system_data_file:file install_data_file;
allow installd install_data_file:file create_file_perms;
# Create files under /data/dalvik-cache.
allow installd dalvikcache_data_file:dir create_dir_perms;
allow installd dalvikcache_data_file:file create_file_perms;
+allow installd dalvikcache_data_file:lnk_file getattr;
# Create files under /data/resource-cache.
allow installd resourcecache_data_file:dir rw_dir_perms;
allow installd resourcecache_data_file:file create_file_perms;
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run profman in its own sandbox.
-domain_auto_trans(installd, profman_exec, profman)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
@@ -96,7 +102,6 @@
radio_data_file
shell_data_file
app_data_file
- autoplay_data_file
}:dir { create_dir_perms relabelfrom relabelto };
allow installd {
@@ -106,7 +111,6 @@
radio_data_file
shell_data_file
app_data_file
- autoplay_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Similar for the files under /data/misc/profiles/
@@ -114,8 +118,6 @@
allow installd user_profile_data_file:file create_file_perms;
allow installd user_profile_data_file:dir rmdir;
allow installd user_profile_data_file:file unlink;
-allow installd user_profile_foreign_dex_data_file:dir { add_name getattr rmdir open read write search remove_name };
-allow installd user_profile_foreign_dex_data_file:file { getattr rename unlink };
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
@@ -126,3 +128,32 @@
# execute toybox for app relocation
allow installd toolbox_exec:file rx_file_perms;
+
+# Allow installd to publish a binder service and make binder calls.
+binder_use(installd)
+add_service(installd, installd_service)
+allow installd dumpstate:fifo_file { getattr write };
+
+# Allow installd to call into the system server so it can check permissions.
+binder_call(installd, system_server)
+allow installd permission_service:service_manager find;
+
+# Allow installd to read and write quotas
+allow installd block_device:dir { search };
+allow installd labeledfs:filesystem { quotaget quotamod };
+
+# Allow installd to delete from /data/preloads when trimming data caches
+# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
+allow installd preloads_data_file:file { r_file_perms unlink };
+allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow installd preloads_media_file:file { r_file_perms unlink };
+allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+###
+### Neverallow rules
+###
+
+# only system_server, installd and dumpstate may interact with installd over binder
+neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
+neverallow { domain -system_server -dumpstate } installd:binder call;
+neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/ioctl_defines b/public/ioctl_defines
similarity index 99%
rename from ioctl_defines
rename to public/ioctl_defines
index e879b38..a1cd0b9 100644
--- a/ioctl_defines
+++ b/public/ioctl_defines
@@ -389,7 +389,7 @@
define(`CDROM_SEND_PACKET', `0x00005393')
define(`CDROM_NEXT_WRITABLE', `0x00005394')
define(`CDROM_LAST_WRITTEN', `0x00005395')
-define(`TCGETS', `0x00005401')
+define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
define(`SNDCTL_TMR_START', `0x00005402')
define(`TCSETS', `0x00005402')
define(`SNDCTL_TMR_STOP', `0x00005403')
@@ -408,17 +408,17 @@
define(`TIOCSCTTY', `0x0000540e')
define(`TIOCGPGRP', `0x0000540f')
define(`TIOCSPGRP', `0x00005410')
-define(`TIOCOUTQ', `0x00005411')
+define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
define(`TIOCSTI', `0x00005412')
-define(`TIOCGWINSZ', `0x00005413')
-define(`TIOCSWINSZ', `0x00005414')
+define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
+define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
define(`TIOCMGET', `0x00005415')
define(`TIOCMBIS', `0x00005416')
define(`TIOCMBIC', `0x00005417')
define(`TIOCMSET', `0x00005418')
define(`TIOCGSOFTCAR', `0x00005419')
define(`TIOCSSOFTCAR', `0x0000541a')
-define(`FIONREAD', `0x0000541b')
+define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
define(`TIOCLINUX', `0x0000541c')
define(`TIOCCONS', `0x0000541d')
define(`TIOCGSERIAL', `0x0000541e')
@@ -440,7 +440,7 @@
define(`TCSETXW', `0x00005435')
define(`TIOCVHANGUP', `0x00005437')
define(`FIONCLEX', `0x00005450')
-define(`FIOCLEX', `0x00005451')
+define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
define(`FIOASYNC', `0x00005452')
define(`TIOCSERCONFIG', `0x00005453')
define(`TIOCSERGWILD', `0x00005454')
diff --git a/ioctl_macros b/public/ioctl_macros
similarity index 87%
rename from ioctl_macros
rename to public/ioctl_macros
index f3840b8..f7081d5 100644
--- a/ioctl_macros
+++ b/public/ioctl_macros
@@ -21,7 +21,7 @@
SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
-SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCGIFBR SIOCSIFBR
+SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
@@ -42,10 +42,16 @@
}')
# commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }')
+define(`unpriv_unix_sock_ioctls', `{
+ TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
# commonly used TTY ioctls
-define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+ TIOCOUTQ FIOCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW
+ TCFLSH TIOCSPGRP TIOCGPGRP
+}')
# point to point ioctls
define(`ppp_ioctls', `{
diff --git a/public/isolated_app.te b/public/isolated_app.te
new file mode 100644
index 0000000..a907dac
--- /dev/null
+++ b/public/isolated_app.te
@@ -0,0 +1,9 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+type isolated_app, domain;
diff --git a/kernel.te b/public/kernel.te
similarity index 78%
rename from kernel.te
rename to public/kernel.te
index 1ca5673..9537c0d 100644
--- a/kernel.te
+++ b/public/kernel.te
@@ -1,17 +1,19 @@
# Life begins with the kernel.
-type kernel, domain, domain_deprecated, mlstrustedsubject;
+type kernel, domain, mlstrustedsubject;
allow kernel self:capability sys_nice;
# Root fs.
-allow kernel rootfs:dir r_dir_perms;
-allow kernel rootfs:file r_file_perms;
-allow kernel rootfs:lnk_file r_file_perms;
+r_dir_file(kernel, rootfs)
+r_dir_file(kernel, proc)
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
allow kernel selinuxfs:file r_file_perms;
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
@@ -41,8 +43,7 @@
allow kernel self:capability sys_boot;
allow kernel proc_sysrq:file w_file_perms;
-# Allow writing to /dev/__kmsg__ which was created prior to
-# loading policy
+# Allow writing to /dev/kmsg which was created prior to loading policy.
allow kernel tmpfs:chr_file write;
# Set checkreqprot by init.rc prior to switching to init domain.
@@ -63,7 +64,11 @@
allow kernel app_data_file:file read;
allow kernel asec_image_file:file read;
-domain_auto_trans(kernel, init_exec, init)
+# Allow reading loop device in update_engine_unittests. (b/28319454)
+userdebug_or_eng(`
+ allow kernel update_engine_data_file:file read;
+ allow kernel nativetest_data_file:file read;
+')
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
@@ -71,6 +76,9 @@
allow kernel media_rw_data_file:dir create_dir_perms;
allow kernel media_rw_data_file:file create_file_perms;
+# Access to /data/misc/vold/virtual_disk.
+allow kernel vold_data_file:file read;
+
###
### neverallow rules
###
@@ -85,9 +93,11 @@
# possible causes include:
# - The program is a kernel usermodehelper. In this case, define a domain
# for the program and domain_auto_trans() to it.
-# - You failed to setcon u:r:init:s0 in your init.rc and thus your init
-# program was left in the kernel domain and is now trying to execute
-# some other program. Fix your init.rc file.
# - You are running an exploit which switched to the init task credentials
# and is then trying to exec a shell or other program. You lose!
-neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };
+neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:capability { dac_override dac_read_search };
diff --git a/keystore.te b/public/keystore.te
similarity index 78%
rename from keystore.te
rename to public/keystore.te
index 9dca43c..ee5e675 100644
--- a/keystore.te
+++ b/public/keystore.te
@@ -1,22 +1,24 @@
-type keystore, domain, domain_deprecated;
+type keystore, domain;
type keystore_exec, exec_type, file_type;
# keystore daemon
-init_daemon_domain(keystore)
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
+binder_call(keystore, system_server)
+
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file rw_file_perms;
-allow keystore tee:unix_stream_socket connectto;
-allow keystore keystore_service:service_manager { add find };
+add_service(keystore, keystore_service)
+allow keystore sec_key_att_app_id_provider_service:service_manager find;
# Check SELinux permissions.
selinux_check_access(keystore)
+r_dir_file(keystore, cgroup)
+
###
### Neverallow rules
###
diff --git a/lmkd.te b/public/lmkd.te
similarity index 86%
rename from lmkd.te
rename to public/lmkd.te
index 570cbca..f4e6c2d 100644
--- a/lmkd.te
+++ b/public/lmkd.te
@@ -1,9 +1,7 @@
# lmkd low memory killer daemon
-type lmkd, domain, domain_deprecated, mlstrustedsubject;
+type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-init_daemon_domain(lmkd)
-
allow lmkd self:capability { dac_override sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
@@ -16,8 +14,6 @@
## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain)
allow lmkd appdomain:file write;
-r_dir_file(lmkd, autoplay_app)
-allow lmkd autoplay_app:file write;
r_dir_file(lmkd, system_server)
allow lmkd system_server:file write;
@@ -34,6 +30,8 @@
# Set self to SCHED_FIFO
allow lmkd self:capability sys_nice;
+allow lmkd proc_zoneinfo:file r_file_perms;
+
### neverallow rules
# never honor LD_PRELOAD
diff --git a/public/logd.te b/public/logd.te
new file mode 100644
index 0000000..62bff97
--- /dev/null
+++ b/public/logd.te
@@ -0,0 +1,73 @@
+# android user-space log manager
+type logd, domain, mlstrustedsubject;
+type logd_exec, exec_type, file_type;
+
+# Read access to pseudo filesystems.
+r_dir_file(logd, cgroup)
+r_dir_file(logd, proc)
+r_dir_file(logd, proc_meminfo)
+r_dir_file(logd, proc_net)
+
+allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
+allow logd self:capability2 syslog;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kernel:system syslog_read;
+allow logd kmsg_device:chr_file w_file_perms;
+allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+ # Access to /data/misc/logd/event-log-tags
+ allow logd misc_logd_file:dir r_dir_perms;
+ allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;
+
+# Access device logging gating property
+get_prop(logd, device_logging_prop)
+
+r_dir_file(logd, domain)
+
+allow logd kernel:system syslog_mod;
+
+control_logd(logd)
+read_runtime_log_tags(logd)
+
+allow runtime_event_log_tags_file tmpfs:filesystem associate;
+# Typically harmlessly blindly trying to access via liblog
+# event tag mapping while in the untrusted_app domain.
+# Access for that domain is controlled and gated via the
+# event log tag service (albeit at a performance penalty,
+# expected to be locally cached).
+dontaudit domain runtime_event_log_tags_file:file { open read };
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# ... and nobody may ptrace me (except on userdebug or eng builds)
+neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
+
+# Write to /system.
+neverallow logd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
+
+# Only init is allowed to enter the logd domain via exec()
+neverallow { domain -init } logd:process transition;
+neverallow * logd:process dyntransition;
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -init
+ -logd
+} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/public/logpersist.te b/public/logpersist.te
new file mode 100644
index 0000000..7536cb8
--- /dev/null
+++ b/public/logpersist.te
@@ -0,0 +1,26 @@
+# android debug logging, logpersist domains
+type logpersist, domain;
+
+###
+### Neverallow rules
+###
+### logpersist should NEVER do any of this
+
+# Block device access.
+neverallow logpersist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logpersist domain:process ptrace;
+
+# Write to files in /data/data or system files on /data except misc_logd_file
+neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
+
+# Only init should be allowed to enter the logpersist domain via exec()
+# Following is a list of debug domains we know that transition to logpersist
+# neverallow_with_undefined_domains {
+# domain
+# -init # goldfish, logcatd, raft
+# -mmi # bat, mtp8996, msmcobalt
+# -system_app # Smith.apk
+# } logpersist:process transition;
+neverallow * logpersist:process dyntransition;
diff --git a/public/mdnsd.te b/public/mdnsd.te
new file mode 100644
index 0000000..ef7b065
--- /dev/null
+++ b/public/mdnsd.te
@@ -0,0 +1,2 @@
+# mdns daemon
+type mdnsd, domain;
diff --git a/public/mediacodec.te b/public/mediacodec.te
new file mode 100644
index 0000000..5ca41fc
--- /dev/null
+++ b/public/mediacodec.te
@@ -0,0 +1,67 @@
+# mediacodec - audio and video codecs live here
+type mediacodec, domain;
+type mediacodec_exec, exec_type, vendor_file_type, file_type;
+
+typeattribute mediacodec mlstrustedsubject;
+
+# TODO(b/36375899) attributize this domain appropriately as hal_omx
+# and use macro hal_server_domain
+get_prop(mediacodec, hwservicemanager_prop)
+
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec)
+
+not_full_treble(`
+ # on legacy devices, continue to allow /dev/binder traffic
+ binder_use(mediacodec)
+ binder_service(mediacodec)
+ add_service(mediacodec, mediacodec_service)
+ allow mediacodec mediametrics_service:service_manager find;
+ allow mediacodec surfaceflinger_service:service_manager find;
+')
+binder_call(mediacodec, binderservicedomain)
+binder_call(mediacodec, appdomain)
+
+# Allow mediacodec access to composer sync fences
+allow mediacodec hal_graphics_composer:fd use;
+
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+allow mediacodec video_device:dir search;
+allow mediacodec ion_device:chr_file rw_file_perms;
+allow mediacodec hal_camera:fd use;
+
+crash_dump_fallback(mediacodec)
+
+add_hwservice(mediacodec, hal_omx_hwservice)
+
+hal_client_domain(mediacodec, hal_allocator)
+
+# allocate and use graphic buffers
+hal_client_domain(mediacodec, hal_graphics_allocator)
+
+# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
+# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
+# between those two: it talks to mediacodec via Binder and talks to bufferhubd
+# via PDX. Thus, there is no need to use pdx_client macro.
+allow mediacodec bufferhubd:fd use;
+
+###
+### neverallow rules
+###
+
+# mediacodec should never execute any executable without a
+# domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
new file mode 100644
index 0000000..cef8121
--- /dev/null
+++ b/public/mediadrmserver.te
@@ -0,0 +1,33 @@
+# mediadrmserver - mediadrm daemon
+type mediadrmserver, domain;
+type mediadrmserver_exec, exec_type, file_type;
+
+typeattribute mediadrmserver mlstrustedsubject;
+
+net_domain(mediadrmserver)
+binder_use(mediadrmserver)
+binder_call(mediadrmserver, binderservicedomain)
+binder_call(mediadrmserver, appdomain)
+binder_service(mediadrmserver)
+hal_client_domain(mediadrmserver, hal_drm)
+
+add_service(mediadrmserver, mediadrmserver_service)
+allow mediadrmserver mediaserver_service:service_manager find;
+allow mediadrmserver mediametrics_service:service_manager find;
+allow mediadrmserver processinfo_service:service_manager find;
+allow mediadrmserver surfaceflinger_service:service_manager find;
+allow mediadrmserver system_file:dir r_dir_perms;
+
+add_service(mediadrmserver, mediacasserver_service)
+
+binder_call(mediadrmserver, mediacodec)
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
new file mode 100644
index 0000000..e1b460d
--- /dev/null
+++ b/public/mediaextractor.te
@@ -0,0 +1,49 @@
+# mediaextractor - multimedia daemon
+type mediaextractor, domain;
+type mediaextractor_exec, exec_type, file_type;
+
+typeattribute mediaextractor mlstrustedsubject;
+
+binder_use(mediaextractor)
+binder_call(mediaextractor, binderservicedomain)
+binder_call(mediaextractor, appdomain)
+binder_service(mediaextractor)
+
+add_service(mediaextractor, mediaextractor_service)
+allow mediaextractor mediametrics_service:service_manager find;
+allow mediaextractor mediacasserver_service:service_manager find;
+
+allow mediaextractor system_server:fd use;
+
+r_dir_file(mediaextractor, cgroup)
+allow mediaextractor proc_meminfo:file r_file_perms;
+
+crash_dump_fallback(mediaextractor)
+
+# allow mediaextractor read permissions for file sources
+allow mediaextractor media_rw_data_file:file { getattr read };
+
+# Read resources from open apk files passed over Binder
+allow mediaextractor apk_data_file:file { read getattr };
+allow mediaextractor asec_apk_file:file { read getattr };
+allow mediaextractor ringtone_file:file { read getattr };
+
+###
+### neverallow rules
+###
+
+# mediaextractor should never execute any executable without a
+# domain transition
+neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/mediametrics.te b/public/mediametrics.te
new file mode 100644
index 0000000..4c10d87
--- /dev/null
+++ b/public/mediametrics.te
@@ -0,0 +1,38 @@
+# mediametrics - daemon for collecting media.metrics data
+type mediametrics, domain;
+type mediametrics_exec, exec_type, file_type;
+
+
+binder_use(mediametrics)
+binder_call(mediametrics, binderservicedomain)
+binder_service(mediametrics)
+
+add_service(mediametrics, mediametrics_service)
+
+allow mediametrics system_server:fd use;
+
+r_dir_file(mediametrics, cgroup)
+allow mediametrics proc_meminfo:file r_file_perms;
+
+# allows interactions with dumpsys to GMScore
+allow mediametrics app_data_file:file write;
+
+###
+### neverallow rules
+###
+
+# mediametrics should never execute any executable without a
+# domain transition
+neverallow mediametrics { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/mediaserver.te b/public/mediaserver.te
similarity index 80%
rename from mediaserver.te
rename to public/mediaserver.te
index 5fbaa30..6efaf0f 100644
--- a/mediaserver.te
+++ b/public/mediaserver.te
@@ -1,13 +1,16 @@
# mediaserver - multimedia daemon
-type mediaserver, domain, domain_deprecated;
+type mediaserver, domain;
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
+# TODO(b/36375899): replace with hal_client_domain macro on hal_omx
+typeattribute mediaserver halclientdomain;
+
net_domain(mediaserver)
-init_daemon_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, cgroup)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
@@ -22,7 +25,7 @@
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, { appdomain autoplay_app })
+binder_call(mediaserver, appdomain)
binder_service(mediaserver)
allow mediaserver media_data_file:dir create_dir_perms;
@@ -48,7 +51,7 @@
allow mediaserver radio_data_file:file { read getattr };
# Use pipes passed over Binder from app domains.
-allow mediaserver { appdomain autoplay_app }:fifo_file { getattr read write };
+allow mediaserver appdomain:fifo_file { getattr read write };
allow mediaserver rpmsg_device:chr_file rw_file_perms;
@@ -64,9 +67,6 @@
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
-# Allow abstract socket connection
-allow mediaserver rild:unix_stream_socket { connectto read write setopt };
-
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(mediaserver, drmserver, drmserver)
@@ -75,9 +75,7 @@
# but seems appropriate for all devices.
unix_socket_connect(mediaserver, bluetooth, bluetooth)
-# Connect to tee service.
-allow mediaserver tee:unix_stream_socket connectto;
-
+add_service(mediaserver, mediaserver_service)
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
@@ -86,7 +84,7 @@
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediacodec_service:service_manager find;
-allow mediaserver mediaserver_service:service_manager { add find };
+allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
@@ -94,6 +92,12 @@
allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
+# for ModDrm/MediaPlayer
+allow mediaserver mediadrmserver_service:service_manager find;
+
+# For interfacing with OMX HAL
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
@@ -120,8 +124,19 @@
allow mediaserver media_rw_data_file:dir create_dir_perms;
allow mediaserver media_rw_data_file:file create_file_perms;
-# Access to /data/preloads
-allow mediaserver preloads_data_file:file { getattr read ioctl };
+# Access to media in /data/preloads
+allow mediaserver preloads_media_file:file { getattr read ioctl };
+
+allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
+allow mediaserver hal_camera:fd use;
+
+allow mediaserver system_server:fd use;
+
+hal_client_domain(mediaserver, hal_allocator)
+
+binder_call(mediaserver, mediacodec)
###
### neverallow rules
diff --git a/public/modprobe.te b/public/modprobe.te
new file mode 100644
index 0000000..24a6b3b
--- /dev/null
+++ b/public/modprobe.te
@@ -0,0 +1,10 @@
+type modprobe, domain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe self:capability sys_module;
+recovery_only(`
+ allow modprobe rootfs:system module_load;
+ allow modprobe rootfs:file r_file_perms;
+')
+allow modprobe { system_file vendor_file }:system module_load;
+r_dir_file(modprobe, { system_file vendor_file })
diff --git a/mtp.te b/public/mtp.te
similarity index 65%
rename from mtp.te
rename to public/mtp.te
index 9677abd..a776240 100644
--- a/mtp.te
+++ b/public/mtp.te
@@ -1,12 +1,11 @@
# vpn tunneling protocol manager
-type mtp, domain, domain_deprecated;
+type mtp, domain;
type mtp_exec, exec_type, file_type;
-init_daemon_domain(mtp)
net_domain(mtp)
# pptp policy
-allow mtp self:socket create_socket_perms;
+allow mtp self:socket create_socket_perms_no_ioctl;
allow mtp self:capability net_raw;
allow mtp ppp:process signal;
allow mtp vpn_data_file:dir search;
diff --git a/public/net.te b/public/net.te
new file mode 100644
index 0000000..7e00ed8
--- /dev/null
+++ b/public/net.te
@@ -0,0 +1,4 @@
+# Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
diff --git a/public/netd.te b/public/netd.te
new file mode 100644
index 0000000..691887f
--- /dev/null
+++ b/public/netd.te
@@ -0,0 +1,110 @@
+# network manager
+type netd, domain, mlstrustedsubject;
+type netd_exec, exec_type, file_type;
+
+net_domain(netd)
+# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(netd, cgroup)
+allow netd system_server:fd use;
+
+allow netd self:capability { net_admin net_raw kill };
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for netd to operate.
+dontaudit netd self:capability fsetid;
+
+allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_route_socket nlmsg_write;
+allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+allow netd shell_exec:file rx_file_perms;
+allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
+allow netd devpts:chr_file rw_file_perms;
+
+# Acquire advisory lock on /system/etc/xtables.lock
+allow netd system_file:file lock;
+
+r_dir_file(netd, proc_net)
+# For /proc/sys/net/ipv[46]/route/flush.
+allow netd proc_net:file rw_file_perms;
+
+# Enables PppController and interface enumeration (among others)
+r_dir_file(netd, sysfs_type)
+# Allows setting interface MTU
+allow netd sysfs:file write;
+
+# TODO: added to match above sysfs rule. Remove me?
+allow netd sysfs_usb:file write;
+
+# TODO: netd previously thought it needed these permissions to do WiFi related
+# work. However, after all the WiFi stuff is gone, we still need them.
+# Why?
+allow netd self:capability { dac_override chown };
+
+# Needed to update /data/misc/net/rt_tables
+allow netd net_data_file:file create_file_perms;
+allow netd net_data_file:dir rw_dir_perms;
+allow netd self:capability fowner;
+
+# Allow netd to spawn dnsmasq in it's own domain
+allow netd dnsmasq:process signal;
+
+# Allow netd to start clatd in its own domain
+allow netd clatd:process signal;
+
+set_prop(netd, ctl_mdnsd_prop)
+
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+add_service(netd, netd_service)
+allow netd dumpstate:fifo_file { getattr write };
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+allow netd permission_service:service_manager find;
+
+# Allow netd to talk to the framework service which collects netd events.
+allow netd netd_listener_service:service_manager find;
+
+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{
+ tcp_socket
+ udp_socket
+ rawip_socket
+ tun_socket
+} { read write getattr setattr getopt setopt };
+allow netd netdomain:fd use;
+
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+###
+### Neverallow rules
+###
+### netd should NEVER do any of this
+
+# Block device access.
+neverallow netd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow netd { domain }:process ptrace;
+
+# Write to /system.
+neverallow netd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+
+# only system_server, dumpstate and netd may interact with netd over binder
+neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+neverallow { domain -system_server -dumpstate } netd:binder call;
+neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/public/netutils_wrapper.te b/public/netutils_wrapper.te
new file mode 100644
index 0000000..c844762
--- /dev/null
+++ b/public/netutils_wrapper.te
@@ -0,0 +1,4 @@
+type netutils_wrapper, domain;
+type netutils_wrapper_exec, exec_type, file_type;
+
+neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/public/neverallow_macros b/public/neverallow_macros
new file mode 100644
index 0000000..e2b6ed1
--- /dev/null
+++ b/public/neverallow_macros
@@ -0,0 +1,15 @@
+#
+# Common neverallow permissions
+define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
+define(`no_x_file_perms', `{ execute execute_no_trans }')
+define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/public/nfc.te b/public/nfc.te
new file mode 100644
index 0000000..e3a03e7
--- /dev/null
+++ b/public/nfc.te
@@ -0,0 +1,2 @@
+# nfc subsystem
+type nfc, domain;
diff --git a/otapreopt_chroot.te b/public/otapreopt_chroot.te
similarity index 84%
rename from otapreopt_chroot.te
rename to public/otapreopt_chroot.te
index 1c5f2ee..c071f44 100644
--- a/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -13,9 +13,6 @@
# Mounting /vendor can have this side-effect. Ignore denial.
dontaudit otapreopt_chroot kernel:process setsched;
-# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
-
# Allow otapreopt to use file descriptors from update-engine. It will
# close them immediately.
allow otapreopt_chroot postinstall:fd use;
diff --git a/otapreopt_slot.te b/public/otapreopt_slot.te
similarity index 85%
rename from otapreopt_slot.te
rename to public/otapreopt_slot.te
index 2f4da0a..6551864 100644
--- a/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -6,14 +6,13 @@
type otapreopt_slot, domain, mlstrustedsubject;
type otapreopt_slot_exec, exec_type, file_type;
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(otapreopt_slot)
# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
# the directory afterwards. For logging of aggregate size, we need getattr.
allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:file { getattr };
+allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
# Delete old content of the dalvik-cache.
allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
diff --git a/public/performanced.te b/public/performanced.te
new file mode 100644
index 0000000..3d3fadb
--- /dev/null
+++ b/public/performanced.te
@@ -0,0 +1,18 @@
+# performanced
+type performanced, domain, mlstrustedsubject;
+type performanced_exec, exec_type, file_type;
+
+pdx_server(performanced, performance_client)
+
+# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
+allow performanced self:capability { setuid setgid sys_nice };
+
+# Access /proc to validate we're only affecting threads in the same thread group.
+# Performanced also shields unbound kernel threads. It scans every task in the
+# root cpu set, but only affects the kernel threads.
+r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
+dontaudit performanced domain:dir read;
+allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
+
+# Access /dev/cpuset/cpuset.cpus
+r_dir_file(performanced, cgroup)
diff --git a/perfprofd.te b/public/perfprofd.te
similarity index 94%
rename from perfprofd.te
rename to public/perfprofd.te
index 0122c55..bfb8693 100644
--- a/perfprofd.te
+++ b/public/perfprofd.te
@@ -1,11 +1,11 @@
# perfprofd - perf profile collection daemon
+type perfprofd, domain;
type perfprofd_exec, exec_type, file_type;
userdebug_or_eng(`
- type perfprofd, domain, domain_deprecated, mlstrustedsubject;
-
- init_daemon_domain(perfprofd)
+ typeattribute perfprofd coredomain;
+ typeattribute perfprofd mlstrustedsubject;
# perfprofd needs to control CPU hot-plug in order to avoid kernel
# perfevents problems in cases where CPU goes on/off during measurement;
diff --git a/public/platform_app.te b/public/platform_app.te
new file mode 100644
index 0000000..9b1faf0
--- /dev/null
+++ b/public/platform_app.te
@@ -0,0 +1,5 @@
+###
+### Apps signed with the platform key.
+###
+
+type platform_app, domain;
diff --git a/postinstall.te b/public/postinstall.te
similarity index 94%
rename from postinstall.te
rename to public/postinstall.te
index 0f6bb74..7fd4dc6 100644
--- a/postinstall.te
+++ b/public/postinstall.te
@@ -30,8 +30,6 @@
# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
-
# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
diff --git a/postinstall_dexopt.te b/public/postinstall_dexopt.te
similarity index 88%
rename from postinstall_dexopt.te
rename to public/postinstall_dexopt.te
index c5b2533..0ce617b 100644
--- a/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,10 +5,11 @@
type postinstall_dexopt, domain;
-# init_daemon_domain(otapreopt)
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
+allow postinstall_dexopt postinstall_file:lnk_file read;
allow postinstall_dexopt proc:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
@@ -17,6 +18,8 @@
# Read app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, apk_data_file)
+# Read vendor app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_app_file)
# Access to app oat directory.
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
@@ -39,15 +42,10 @@
allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-allow postinstall_dexopt selinuxfs:dir r_dir_perms;
-
# Check validity of SELinux context before use.
selinux_check_context(postinstall_dexopt)
selinux_check_access(postinstall_dexopt)
-# Run dex2oat/patchoat in its own sandbox.
-# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
# Postinstall wants to know about our child.
allow postinstall_dexopt postinstall:process sigchld;
diff --git a/ppp.te b/public/ppp.te
similarity index 65%
rename from ppp.te
rename to public/ppp.te
index d7ed70d..04e17f5 100644
--- a/ppp.te
+++ b/public/ppp.te
@@ -1,16 +1,23 @@
# Point to Point Protocol daemon
-type ppp, domain, domain_deprecated;
+type ppp, domain;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
-domain_auto_trans(mtp, ppp_exec, ppp)
net_domain(ppp)
+r_dir_file(ppp, proc_net)
+
allow ppp mtp:socket rw_socket_perms;
+
+# ioctls needed for VPN.
+allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
+allowxperm ppp mtp:socket ioctl ppp_ioctls;
+
allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
allow ppp vpn_data_file:dir w_dir_perms;
allow ppp vpn_data_file:file create_file_perms;
allow ppp mtp:fd use;
diff --git a/preopt2cachename.te b/public/preopt2cachename.te
similarity index 100%
rename from preopt2cachename.te
rename to public/preopt2cachename.te
diff --git a/public/priv_app.te b/public/priv_app.te
new file mode 100644
index 0000000..0761fc3
--- /dev/null
+++ b/public/priv_app.te
@@ -0,0 +1,5 @@
+###
+### A domain for further sandboxing privileged apps.
+###
+
+type priv_app, domain;
diff --git a/profman.te b/public/profman.te
similarity index 69%
rename from profman.te
rename to public/profman.te
index fa3df94..a5c18b5 100644
--- a/profman.te
+++ b/public/profman.te
@@ -14,4 +14,13 @@
allow profman installd:fd use;
+# Allow profman to analyze profiles for the secondary dex files. These
+# are application dex files reported back to the framework when using
+# BaseDexClassLoader.
+allow profman app_data_file:file { getattr read write lock };
+
+###
+### neverallow rules
+###
+
neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/property.te b/public/property.te
similarity index 61%
rename from property.te
rename to public/property.te
index af7013f..d6fa868 100644
--- a/property.te
+++ b/public/property.te
@@ -1,42 +1,89 @@
-type default_prop, property_type, core_property_type;
-type shell_prop, property_type, core_property_type;
-type debug_prop, property_type, core_property_type;
-type dumpstate_prop, property_type, core_property_type;
-type persist_debug_prop, property_type, core_property_type;
-type debuggerd_prop, property_type, core_property_type;
-type dhcp_prop, property_type, core_property_type;
-type fingerprint_prop, property_type, core_property_type;
-type ffs_prop, property_type, core_property_type;
-type radio_prop, property_type, core_property_type;
-type net_radio_prop, property_type, core_property_type;
-type system_radio_prop, property_type, core_property_type;
-type system_prop, property_type, core_property_type;
-type vold_prop, property_type, core_property_type;
-type wifi_log_prop, property_type, log_property_type;
+type asan_reboot_prop, property_type;
+type audio_prop, property_type, core_property_type;
+type boottime_prop, property_type;
+type bluetooth_prop, property_type;
+type config_prop, property_type, core_property_type;
+type cppreopt_prop, property_type, core_property_type;
type ctl_bootanim_prop, property_type;
+type ctl_bugreport_prop, property_type;
+type ctl_console_prop, property_type;
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
type ctl_mdnsd_prop, property_type;
type ctl_rildaemon_prop, property_type;
-type ctl_bugreport_prop, property_type;
-type ctl_console_prop, property_type;
-type audio_prop, property_type, core_property_type;
-type log_prop, property_type, log_property_type;
-type log_tag_prop, property_type, log_property_type;
+type dalvik_prop, property_type, core_property_type;
+type debuggerd_prop, property_type, core_property_type;
+type debug_prop, property_type, core_property_type;
+type default_prop, property_type, core_property_type;
+type device_logging_prop, property_type;
+type dhcp_prop, property_type, core_property_type;
+type dumpstate_options_prop, property_type;
+type dumpstate_prop, property_type, core_property_type;
+type ffs_prop, property_type, core_property_type;
+type fingerprint_prop, property_type, core_property_type;
+type firstboot_prop, property_type;
+type hwservicemanager_prop, property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
+type log_prop, property_type, log_property_type;
+type log_tag_prop, property_type, log_property_type;
type mmc_prop, property_type;
-type restorecon_prop, property_type, core_property_type;
-type security_prop, property_type, core_property_type;
-type bluetooth_prop, property_type, core_property_type;
-type pan_result_prop, property_type, core_property_type;
-type powerctl_prop, property_type, core_property_type;
-type cppreopt_prop, property_type, core_property_type;
+type net_dns_prop, property_type;
+type net_radio_prop, property_type, core_property_type;
type nfc_prop, property_type, core_property_type;
-type dalvik_prop, property_type, core_property_type;
-type config_prop, property_type, core_property_type;
-type device_logging_prop, property_type;
+type overlay_prop, property_type;
+type pan_result_prop, property_type, core_property_type;
+type persist_debug_prop, property_type, core_property_type;
+type persistent_properties_ready_prop, property_type;
+type powerctl_prop, property_type, core_property_type;
+type radio_prop, property_type, core_property_type;
+type restorecon_prop, property_type, core_property_type;
type safemode_prop, property_type;
+type serialno_prop, property_type;
+type shell_prop, property_type, core_property_type;
+type system_prop, property_type, core_property_type;
+type system_radio_prop, property_type, core_property_type;
+type vold_prop, property_type, core_property_type;
+type wifi_log_prop, property_type, log_property_type;
+type wifi_prop, property_type;
allow property_type tmpfs:filesystem associate;
+
+###
+### Neverallow rules
+###
+
+# core_property_type should not be used for new properties or
+# device specific properties. Properties with this attribute
+# are readable to everyone, which is overly broad and should
+# be avoided.
+# New properties should have appropriate read / write access
+# control rules written.
+
+neverallow * {
+ core_property_type
+ -audio_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_prop
+ -debuggerd_prop
+ -debug_prop
+ -default_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -ffs_prop
+ -fingerprint_prop
+ -logd_prop
+ -net_radio_prop
+ -nfc_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -shell_prop
+ -system_prop
+ -system_radio_prop
+ -vold_prop
+}:file no_rw_file_perms;
diff --git a/racoon.te b/public/racoon.te
similarity index 70%
rename from racoon.te
rename to public/racoon.te
index bf272d1..00744d8 100644
--- a/racoon.te
+++ b/public/racoon.te
@@ -1,11 +1,11 @@
# IKE key management daemon
-type racoon, domain, domain_deprecated;
+type racoon, domain;
type racoon_exec, exec_type, file_type;
-init_daemon_domain(racoon)
typeattribute racoon mlstrustedsubject;
net_domain(racoon)
+allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
binder_use(racoon)
@@ -13,12 +13,13 @@
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
-allow racoon self:key_socket create_socket_perms;
-allow racoon self:tun_socket create_socket_perms;
-allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+allow racoon self:key_socket create_socket_perms_no_ioctl;
+allow racoon self:tun_socket create_socket_perms_no_ioctl;
+allow racoon self:capability { net_admin net_bind_service net_raw };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
diff --git a/radio.te b/public/radio.te
similarity index 77%
rename from radio.te
rename to public/radio.te
index 591c3bc..87329d9 100644
--- a/radio.te
+++ b/public/radio.te
@@ -1,10 +1,11 @@
# phone subsystem
-type radio, domain, domain_deprecated, mlstrustedsubject;
-app_domain(radio)
+type radio, domain, mlstrustedsubject;
+
net_domain(radio)
bluetooth_domain(radio)
binder_service(radio)
+# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
# Talks to rild via the rild socket.
unix_socket_connect(radio, rild, rild)
@@ -19,20 +20,21 @@
# Property service
set_prop(radio, radio_prop)
-set_prop(radio, system_radio_prop)
set_prop(radio, net_radio_prop)
-auditallow radio net_radio_prop:property_service set;
-auditallow radio system_radio_prop:property_service set;
# ctl interface
set_prop(radio, ctl_rildaemon_prop)
+add_service(radio, radio_service)
allow radio audioserver_service:service_manager find;
allow radio cameraserver_service:service_manager find;
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio nfc_service:service_manager find;
-allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
+
+# Perform HwBinder IPC.
+hwbinder_use(radio)
+hal_client_domain(radio, hal_telephony)
diff --git a/recovery.te b/public/recovery.te
similarity index 82%
rename from recovery.te
rename to public/recovery.te
index a0af3ee..f55dc8a 100644
--- a/recovery.te
+++ b/public/recovery.te
@@ -2,13 +2,15 @@
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
-type recovery, domain, domain_deprecated;
+type recovery, domain;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
# Allow recovery to perform an update as update_engine would do.
- typeattribute recovery update_engine_common, boot_control_hal;
+ typeattribute recovery update_engine_common;
+ # Recovery can only use HALs in passthrough mode
+ passthrough_hal_client_domain(recovery, hal_bootctl)
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
@@ -28,13 +30,15 @@
# Create and relabel files and directories under /system.
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+ allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
# We may be asked to set an SELinux label for a type not known to the
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
@@ -47,6 +51,9 @@
# Write to /proc/sys/vm/drop_caches
allow recovery proc_drop_caches:file w_file_perms;
+ # Read kernel config through libvintf for OTA matching
+ allow recovery config_gz:file { open read getattr };
+
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
@@ -56,10 +63,15 @@
allow recovery sysfs_batteryinfo:file r_file_perms;
+ # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
+ # control backlight brightness.
+ allow recovery sysfs_leds:dir r_dir_perms;
+ allow recovery sysfs_leds:file rw_file_perms;
+ allow recovery sysfs_leds:lnk_file read;
+
allow recovery kernel:system syslog_read;
- # Access /dev/android_adb or /dev/usb-ffs/adb/ep0
- allow recovery adb_device:chr_file rw_file_perms;
+ # Access /dev/usb-ffs/adb/ep0
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
@@ -69,8 +81,6 @@
allow recovery dev_type:blk_file rw_file_perms;
# GUI
- allow recovery self:process execmem;
- allow recovery ashmem_device:chr_file execute;
allow recovery graphics_device:chr_file rw_file_perms;
allow recovery graphics_device:dir r_dir_perms;
allow recovery input_device:dir r_dir_perms;
@@ -85,6 +95,9 @@
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+ # Read /sys/class/thermal/*/temp for thermal info.
+ r_dir_file(recovery, sysfs_thermal)
+
# Read files on /oem.
r_dir_file(recovery, oemfs);
@@ -94,6 +107,9 @@
# Start/stop adbd via ctl.start adbd
set_prop(recovery, ctl_default_prop)
+ # Read serial number of the device from system properties
+ get_prop(recovery, serialno_prop)
+
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/recovery_persist.te b/public/recovery_persist.te
similarity index 75%
rename from recovery_persist.te
rename to public/recovery_persist.te
index 19a240f..091d300 100644
--- a/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -2,8 +2,6 @@
type recovery_persist, domain;
type recovery_persist_exec, exec_type, file_type;
-init_daemon_domain(recovery_persist)
-
allow recovery_persist pstorefs:dir search;
allow recovery_persist pstorefs:file r_file_perms;
@@ -27,5 +25,3 @@
# Write to files in /data/data
neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write;
-# recovery_persist is not allowed to write anywhere other than recovery_data_file
-neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/recovery_refresh.te b/public/recovery_refresh.te
similarity index 78%
rename from recovery_refresh.te
rename to public/recovery_refresh.te
index 9fae110..602ed51 100644
--- a/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -2,8 +2,6 @@
type recovery_refresh, domain;
type recovery_refresh_exec, exec_type, file_type;
-init_daemon_domain(recovery_refresh)
-
allow recovery_refresh pstorefs:dir search;
allow recovery_refresh pstorefs:file r_file_perms;
# NB: domain inherits write_logd which hands us write to pmsg_device
@@ -24,6 +22,3 @@
# Write to files in /data/data or system files on /data
neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write;
-
-# recovery_refresh is not allowed to write anywhere
-neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/rild.te b/public/rild.te
similarity index 64%
rename from rild.te
rename to public/rild.te
index e2856a3..14420df 100644
--- a/rild.te
+++ b/public/rild.te
@@ -1,14 +1,16 @@
# rild - radio interface layer daemon
-type rild, domain, domain_deprecated;
-type rild_exec, exec_type, file_type;
+type rild, domain;
+hal_server_domain(rild, hal_telephony)
-init_daemon_domain(rild)
net_domain(rild)
+allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
+
allow rild self:netlink_route_socket nlmsg_write;
allow rild kernel:system module_request;
-allow rild self:capability { setuid net_admin net_raw };
+allow rild self:capability { setpcap setgid setuid net_admin net_raw };
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
+allow rild cgroup:{ file lnk_file } r_file_perms;
allow rild radio_device:chr_file rw_file_perms;
allow rild radio_device:blk_file r_file_perms;
allow rild mtd_device:dir search;
@@ -26,22 +28,22 @@
# property service
set_prop(rild, radio_prop)
-set_prop(rild, net_radio_prop)
-set_prop(rild, system_radio_prop)
-auditallow rild net_radio_prop:property_service set;
-auditallow rild system_radio_prop:property_service set;
-
-# Read/Write to uart driver (for GPS)
-allow rild gps_device:chr_file rw_file_perms;
allow rild tty_device:chr_file rw_file_perms;
# Allow rild to create and use netlink sockets.
-allow rild self:netlink_socket create_socket_perms;
-allow rild self:netlink_generic_socket create_socket_perms;
-allow rild self:netlink_kobject_uevent_socket create_socket_perms;
+allow rild self:netlink_socket create_socket_perms_no_ioctl;
+allow rild self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow rild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Access to wake locks
wakelock_use(rild)
-allow rild self:socket create_socket_perms;
+r_dir_file(rild, proc)
+r_dir_file(rild, proc_net)
+r_dir_file(rild, sysfs_type)
+r_dir_file(rild, system_file)
+
+# granting the ioctl permission for rild should be device specific
+allow rild self:socket create_socket_perms_no_ioctl;
+
diff --git a/roles b/public/roles
similarity index 72%
rename from roles
rename to public/roles
index af5fe8b..ca92934 100644
--- a/roles
+++ b/public/roles
@@ -1,2 +1 @@
-role r;
role r types domain;
diff --git a/runas.te b/public/runas.te
similarity index 79%
rename from runas.te
rename to public/runas.te
index 4fa686a..cda02ef 100644
--- a/runas.te
+++ b/public/runas.te
@@ -1,11 +1,10 @@
-type runas, domain, domain_deprecated, mlstrustedsubject;
+type runas, domain, mlstrustedsubject;
type runas_exec, exec_type, file_type;
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
allow runas adbd:process sigchld;
allow runas shell:fd use;
allow runas shell:fifo_file { read write };
+allow runas shell:unix_stream_socket { read write };
allow runas devpts:chr_file { read write ioctl };
allow runas shell_data_file:file { read write };
@@ -20,12 +19,14 @@
allow runas self:capability { setuid setgid };
# run-as switches to the app security context.
-# read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(runas)
selinux_check_context(runas) # validate context
allow runas self:process setcurrent;
allow runas non_system_app_set:process dyntransition; # setcon
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/sdcardd.te b/public/sdcardd.te
similarity index 90%
rename from sdcardd.te
rename to public/sdcardd.te
index 846c59b..47a2f80 100644
--- a/sdcardd.te
+++ b/public/sdcardd.te
@@ -1,9 +1,10 @@
-type sdcardd, domain, domain_deprecated;
+type sdcardd, domain;
type sdcardd_exec, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
+allow sdcardd sdcardfs:filesystem remount;
allow sdcardd tmpfs:dir r_dir_perms;
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
@@ -14,7 +15,6 @@
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
allow sdcardd media_rw_data_file:dir create_dir_perms;
allow sdcardd media_rw_data_file:file create_file_perms;
@@ -31,6 +31,9 @@
# Allow running on top of expanded storage
allow sdcardd mnt_expand_file:dir search;
+# access /proc/filesystems
+allow sdcardd proc:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/service.te b/public/service.te
new file mode 100644
index 0000000..da540db
--- /dev/null
+++ b/public/service.te
@@ -0,0 +1,147 @@
+type audioserver_service, service_manager_type;
+type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type bluetooth_service, service_manager_type;
+type cameraserver_service, service_manager_type;
+type default_android_service, service_manager_type;
+type drmserver_service, service_manager_type;
+type dumpstate_service, service_manager_type;
+type fingerprintd_service, service_manager_type;
+type hal_fingerprint_service, service_manager_type;
+type gatekeeper_service, app_api_service, service_manager_type;
+type gpu_service, service_manager_type;
+type inputflinger_service, service_manager_type;
+type incident_service, service_manager_type;
+type installd_service, service_manager_type;
+type keystore_service, service_manager_type;
+type mediaserver_service, service_manager_type;
+type mediametrics_service, service_manager_type;
+type mediaextractor_service, service_manager_type;
+type mediacodec_service, service_manager_type;
+type mediadrmserver_service, service_manager_type;
+type mediacasserver_service, service_manager_type;
+type netd_service, service_manager_type;
+type nfc_service, service_manager_type;
+type radio_service, service_manager_type;
+type storaged_service, service_manager_type;
+type surfaceflinger_service, service_manager_type;
+type system_app_service, service_manager_type;
+type update_engine_service, service_manager_type;
+type virtual_touchpad_service, service_manager_type;
+type vr_hwc_service, service_manager_type;
+
+# system_server_services broken down
+type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type battery_service, system_server_service, service_manager_type;
+type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type cameraproxy_service, system_server_service, service_manager_type;
+type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, system_server_service, service_manager_type;
+type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type commontime_management_service, system_server_service, service_manager_type;
+type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
+# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
+type coverage_service, system_server_service, service_manager_type;
+type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type dbinfo_service, system_api_service, system_server_service, service_manager_type;
+type device_policy_service, app_api_service, system_server_service, service_manager_type;
+type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type devicestoragemonitor_service, system_server_service, service_manager_type;
+type diskstats_service, system_api_service, system_server_service, service_manager_type;
+type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netd_listener_service, system_server_service, service_manager_type;
+type DockObserver_service, system_server_service, service_manager_type;
+type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
+type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hardware_service, system_server_service, service_manager_type;
+type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
+type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type lock_settings_service, system_api_service, system_server_service, service_manager_type;
+type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_time_update_service, system_server_service, service_manager_type;
+type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type oem_lock_service, system_api_service, system_server_service, service_manager_type;
+type otadexopt_service, system_server_service, service_manager_type;
+type overlay_service, system_server_service, service_manager_type;
+type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type pinner_service, system_server_service, service_manager_type;
+type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type processinfo_service, system_server_service, service_manager_type;
+type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type recovery_service, system_server_service, service_manager_type;
+type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type samplingprofiler_service, system_server_service, service_manager_type;
+type scheduling_policy_service, system_server_service, service_manager_type;
+type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type serial_service, system_api_service, system_server_service, service_manager_type;
+type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
+type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type task_service, system_server_service, service_manager_type;
+type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type updatelock_service, system_api_service, system_server_service, service_manager_type;
+type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
+type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vr_manager_service, system_server_service, service_manager_type;
+type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type wifip2p_service, app_api_service, system_server_service, service_manager_type;
+type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
+type wifi_service, app_api_service, system_server_service, service_manager_type;
+type wificond_service, service_manager_type;
+type wifiaware_service, app_api_service, system_server_service, service_manager_type;
+type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/servicemanager.te b/public/servicemanager.te
new file mode 100644
index 0000000..3cf5a46
--- /dev/null
+++ b/public/servicemanager.te
@@ -0,0 +1,25 @@
+# servicemanager - the Binder context manager
+type servicemanager, domain, mlstrustedsubject;
+type servicemanager_exec, exec_type, file_type;
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+ domain
+ -init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
+
+# Access to all (system and vendor) service_contexts
+# TODO(b/36866029) access to nonplat_service_contexts
+# should not be allowed on full treble devices
+allow servicemanager service_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
diff --git a/sgdisk.te b/public/sgdisk.te
similarity index 94%
rename from sgdisk.te
rename to public/sgdisk.te
index 43636d4..3007398 100644
--- a/sgdisk.te
+++ b/public/sgdisk.te
@@ -1,5 +1,5 @@
# sgdisk called from vold
-type sgdisk, domain, domain_deprecated;
+type sgdisk, domain;
type sgdisk_exec, exec_type, file_type;
# Allowed to read/write low-level partition tables
diff --git a/shared_relro.te b/public/shared_relro.te
similarity index 64%
rename from shared_relro.te
rename to public/shared_relro.te
index 30af14a..91cf44d 100644
--- a/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,9 +1,5 @@
# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain, domain_deprecated;
-
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
+type shared_relro, domain;
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
diff --git a/shell.te b/public/shell.te
similarity index 69%
rename from shell.te
rename to public/shell.te
index 3e95b46..1fb896a 100644
--- a/shell.te
+++ b/public/shell.te
@@ -5,21 +5,12 @@
# Create and use network sockets.
net_domain(shell)
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
# logcat
read_logd(shell)
control_logd(shell)
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
-# logpersistd (nee logcatd) files
-userdebug_or_eng(`
- allow shell misc_logd_file:dir r_dir_perms;
- allow shell misc_logd_file:file r_file_perms;
-')
# Root fs.
allow shell rootfs:dir r_dir_perms;
@@ -69,15 +60,11 @@
set_prop(shell, powerctl_prop)
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
+# adjust is_loggable properties
userdebug_or_eng(`set_prop(shell, log_prop)')
+# logpersist script
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# systrace support - allow atrace to run
-allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file rw_file_perms;
-allow shell debugfs_trace_marker:file getattr;
-allow shell atrace_exec:file rx_file_perms;
-
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
@@ -85,18 +72,33 @@
set_prop(shell, persist_debug_prop)
')
-# allow shell to run dmesg
-allow shell kernel:system syslog_read;
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
+# TODO: why is this so broad? Tightening candidate? It needs at list:
+# - dumpstate_service (so it can receive dumpstate progress updates)
+allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow shell dumpstate:binder call;
+
+# allow shell to get information from hwservicemanager
+# for instance, listing hardware services with lshal
+hwbinder_use(shell)
+allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
r_dir_file(shell, proc_net)
+allow shell proc_interrupts:file r_file_perms;
allow shell proc_meminfo:file r_file_perms;
+allow shell proc_stat:file r_file_perms;
+allow shell proc_timer:file r_file_perms;
+allow shell proc_zoneinfo:file r_file_perms;
r_dir_file(shell, cgroup)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
@@ -131,11 +133,28 @@
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow shell media_rw_data_file:dir create_dir_perms;
-allow shell media_rw_data_file:file create_file_perms;
+#
+# filesystem test for insecure chr_file's is done
+# via a host side test
+#
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
###
### Neverallow rules
@@ -151,3 +170,15 @@
# Do not allow privileged socket ioctl commands
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
+# limit shell access to sensitive char drivers to
+# only getattr required for host side test.
+neverallow shell {
+ fuse_device
+ hw_random_device
+ kmem_device
+ port_device
+}:chr_file ~getattr;
+
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;
diff --git a/slideshow.te b/public/slideshow.te
similarity index 91%
rename from slideshow.te
rename to public/slideshow.te
index 3165a65..86d4bff 100644
--- a/slideshow.te
+++ b/public/slideshow.te
@@ -1,6 +1,6 @@
# slideshow seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type slideshow, domain, domain_deprecated;
+type slideshow, domain;
allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
diff --git a/su.te b/public/su.te
similarity index 73%
rename from su.te
rename to public/su.te
index f58f7a3..8ddd162 100644
--- a/su.te
+++ b/public/su.te
@@ -1,3 +1,7 @@
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type su, domain;
+
# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;
@@ -5,23 +9,13 @@
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
- type su, domain, mlstrustedsubject;
- domain_auto_trans(shell, su_exec, su)
-
- # Allow dumpstate to call su on userdebug / eng builds to collect
- # additional information.
- domain_auto_trans(dumpstate, su_exec, su)
-
- # Make sure that dumpstate runs the same from the "su" domain as
- # from the "init" domain.
- domain_auto_trans(su, dumpstate_exec, dumpstate)
-
- # su is also permissive to permit setenforce.
- permissive su;
+ typeattribute su mlstrustedsubject;
# Add su to various domains
net_domain(su)
- app_domain(su)
+
+ # grant su access to vndbinder
+ vndbinder_use(su)
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
@@ -47,9 +41,13 @@
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
+ dontaudit su hwservice_manager_type:hwservice_manager *;
+ dontaudit su vndservice_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
+ dontaudit su hwservicemanager:hwservice_manager list;
+ dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
- dontaudit su domain:debuggerd *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
+ dontaudit su postinstall_file:filesystem *;
')
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
new file mode 100644
index 0000000..ae00287
--- /dev/null
+++ b/public/surfaceflinger.te
@@ -0,0 +1,2 @@
+# surfaceflinger - display compositor service
+type surfaceflinger, domain;
diff --git a/public/system_app.te b/public/system_app.te
new file mode 100644
index 0000000..023058e
--- /dev/null
+++ b/public/system_app.te
@@ -0,0 +1,7 @@
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings. These are not as privileged as the system
+### server.
+###
+
+type system_app, domain;
diff --git a/public/system_server.te b/public/system_server.te
new file mode 100644
index 0000000..805d617
--- /dev/null
+++ b/public/system_server.te
@@ -0,0 +1,5 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system_server, domain;
diff --git a/public/te_macros b/public/te_macros
new file mode 100644
index 0000000..80b5696
--- /dev/null
+++ b/public/te_macros
@@ -0,0 +1,567 @@
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+define(`domain_trans', `
+# Old domain may exec the file and transition to the new domain.
+allow $1 $2:file { getattr open read execute };
+allow $1 $3:process transition;
+# New domain is entered by executing the file.
+allow $3 $2:file { entrypoint open read execute getattr };
+# New domain can send SIGCHLD to its caller.
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
+# Enable AT_SECURE, i.e. libc secure mode.
+dontaudit $1 $3:process noatsecure;
+# XXX dontaudit candidate but requires further study.
+allow $1 $3:process { siginh rlimitinh };
+')
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+define(`domain_auto_trans', `
+# Allow the necessary permissions.
+domain_trans($1,$2,$3)
+# Make the transition occur by default.
+type_transition $1 $2:process $3;
+')
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+define(`file_type_trans', `
+# Allow the domain to add entries to the directory.
+allow $1 $2:dir ra_dir_perms;
+# Allow the domain to create the file.
+allow $1 $3:notdevfile_class_set create_file_perms;
+allow $1 $3:dir create_dir_perms;
+')
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+define(`file_type_auto_trans', `
+# Allow the necessary permissions.
+file_type_trans($1, $2, $3)
+# Make the transition occur by default.
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+')
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } r_file_perms;
+')
+
+#####################################
+# tmpfs_domain(domain)
+# Define and allow access to a unique type for
+# this domain when creating tmpfs / shmem / ashmem files.
+define(`tmpfs_domain', `
+type $1_tmpfs, file_type;
+type_transition $1 tmpfs:file $1_tmpfs;
+allow $1 $1_tmpfs:file { read write getattr };
+allow $1 tmpfs:dir { getattr search };
+')
+
+# pdx macros for IPC. pdx is a high-level name which contains transport-specific
+# rules from underlying transport (e.g. UDS-based implementation).
+
+#####################################
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
+')
+
+#####################################
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
+# Servers may receive sync fences, gralloc buffers, etc, from clients.
+# This could be tightened on a per-server basis, but keeping track of service
+# clients is error prone.
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
+')
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+define(`init_daemon_domain', `
+domain_auto_trans(init, $1_exec, $1)
+tmpfs_domain($1)
+')
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+define(`app_domain', `
+typeattribute $1 appdomain;
+# Label ashmem objects with our own unique type.
+tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
+')
+
+#####################################
+# untrusted_app_domain(domain)
+# Allow a base set of permissions required for all untrusted apps.
+define(`untrusted_app_domain', `
+typeattribute $1 untrusted_app_all;
+')
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+define(`net_domain', `
+typeattribute $1 netdomain;
+')
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+define(`bluetooth_domain', `
+typeattribute $1 bluetoothdomain;
+')
+
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+# type hal_foo_default, domain;
+# hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+# hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
+')
+')
+
+#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+# passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
+')
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
+define(`unix_socket_connect', `
+ifelse($2, `property', `
+ ifelse($3,`init', `
+ print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
+ ')
+')
+__unix_socket_connect__($1, $2, $3)
+')
+
+define(`__unix_socket_connect__', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_stream_socket connectto;
+')
+
+#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+__unix_socket_connect__($1, property, init)
+allow $1 $2:property_service set;
+get_prop($1, $2)
+')
+
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file r_file_perms;
+')
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+define(`unix_socket_send', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_dgram_socket sendto;
+')
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+define(`binder_use', `
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# hwbinder_use(domain)
+# Allow domain to use HwBinder IPC.
+define(`hwbinder_use', `
+# Call the hwservicemanager and transfer references to it.
+allow $1 hwservicemanager:binder { call transfer };
+# Allow hwservicemanager to send out callbacks
+allow hwservicemanager $1:binder { call transfer };
+# hwservicemanager performs getpidcon on clients.
+allow hwservicemanager $1:dir search;
+allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:process getattr;
+# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+define(`binder_call', `
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
+# Receive and use open files from the server.
+allow $1 $2:fd use;
+')
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+define(`binder_service', `
+typeattribute $1 binderservicedomain;
+')
+
+#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:capability2 block_suspend;
+')
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+define(`selinux_check_access', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security compute_av;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
+')
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+define(`selinux_check_context', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security check_context;
+')
+
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+define(`create_pty', `
+# Each domain gets a unique devpts type.
+type $1_devpts, fs_type;
+# Label the pty with the unique type when created.
+type_transition $1 devpts:chr_file $1_devpts;
+# Allow use of the pty after creation.
+allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+# allowed to everyone via domain.te.
+')
+
+#####################################
+# Non system_app application set
+#
+define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Recovery only
+# SELinux rules which apply only to recovery mode
+#
+define(`recovery_only', ifelse(target_recovery, `true', $1, ))
+
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+
+#####################################
+# asan builds
+# SELinux rules which apply only to asan builds
+#
+define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+
+####################################
+# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
+#
+define(`crash_dump_fallback', `
+userdebug_or_eng(`
+ allow $1 su:fifo_file append;
+')
+allow $1 anr_data_file:file append;
+allow $1 tombstoned:unix_stream_socket connectto;
+allow $1 tombstoned:fd use;
+allow $1 tombstoned_crash_socket:sock_file write;
+allow $1 tombstone_data_file:file append;
+')
+
+#####################################
+# WITH_DEXPREOPT builds
+# SELinux rules which apply only when pre-opting.
+#
+define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+unix_socket_send($1, logdw, logd)
+allow $1 pmsg_device:chr_file w_file_perms;
+')
+
+#####################################
+# read_logd(domain)
+# Ability to run logcat and read from android
+# log daemon via sockets
+define(`read_logd', `
+allow $1 logcat_exec:file rx_file_perms;
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# read_runtime_log_tags(domain)
+# ability to directly map the runtime event log tags
+define(`read_runtime_log_tags', `
+allow $1 runtime_event_log_tags_file:file r_file_perms;
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+ allow keystore $1:dir search;
+ allow keystore $1:file { read open };
+ allow keystore $1:process getattr;
+ allow $1 keystore_service:service_manager find;
+ binder_call($1, keystore)
+')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+ allow drmserver $1:dir search;
+ allow drmserver $1:file { read open };
+ allow drmserver $1:process getattr;
+')
+
+###########################################
+# add_service(domain, service)
+# Ability for domain to add a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_service', `
+ allow $1 $2:service_manager { add find };
+ neverallow { domain -$1 } $2:service_manager add;
+')
+
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+ allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
+ neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
+##########################################
+# print a message with a trailing newline
+# print(`args')
+define(`print', `errprint(`m4: '__file__: __line__`: $*
+')')
diff --git a/public/tee.te b/public/tee.te
new file mode 100644
index 0000000..f023d5c
--- /dev/null
+++ b/public/tee.te
@@ -0,0 +1,7 @@
+##
+# trusted execution environment (tee) daemon
+#
+type tee, domain;
+
+# Device(s) for communicating with the TEE
+type tee_device, dev_type;
diff --git a/public/tombstoned.te b/public/tombstoned.te
new file mode 100644
index 0000000..37243bb
--- /dev/null
+++ b/public/tombstoned.te
@@ -0,0 +1,17 @@
+# debugger interface
+type tombstoned, domain, mlstrustedsubject;
+type tombstoned_exec, exec_type, file_type;
+
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file create_file_perms;
+allow tombstoned anr_data_file:file { getattr append };
+
+# TODO: Find out why this is happening.
+allow tombstoned anr_data_file:file write;
+auditallow tombstoned anr_data_file:file write;
diff --git a/toolbox.te b/public/toolbox.te
similarity index 92%
rename from toolbox.te
rename to public/toolbox.te
index 55de7eb..59c3a9c 100644
--- a/toolbox.te
+++ b/public/toolbox.te
@@ -1,11 +1,9 @@
# Any toolbox command run by init.
# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain, domain_deprecated;
+type toolbox, domain;
type toolbox_exec, exec_type, file_type;
-init_daemon_domain(toolbox)
-
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow toolbox tmpfs:chr_file { read write ioctl };
diff --git a/tzdatacheck.te b/public/tzdatacheck.te
similarity index 71%
rename from tzdatacheck.te
rename to public/tzdatacheck.te
index f61cb47..93ae165 100644
--- a/tzdatacheck.te
+++ b/public/tzdatacheck.te
@@ -1,8 +1,6 @@
# The tzdatacheck command run by init.
-type tzdatacheck, domain, domain_deprecated;
+type tzdatacheck, domain;
type tzdatacheck_exec, exec_type, file_type;
-init_daemon_domain(tzdatacheck)
-
allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
allow tzdatacheck zoneinfo_data_file:file unlink;
diff --git a/public/ueventd.te b/public/ueventd.te
new file mode 100644
index 0000000..4c77e11
--- /dev/null
+++ b/public/ueventd.te
@@ -0,0 +1,56 @@
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, sysfs_type)
+r_dir_file(ueventd, rootfs)
+allow ueventd sysfs:file w_file_perms;
+allow ueventd sysfs_usb:file w_file_perms;
+allow ueventd sysfs_hwrandom:file w_file_perms;
+allow ueventd sysfs_zram_uevent:file w_file_perms;
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
+allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file r_file_perms;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file)
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+#####
+##### neverallow rules
+#####
+
+# ueventd must never set properties, otherwise deadlocks may occur.
+# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
+# No writing to the property socket, connecting to init, or setting properties.
+neverallow ueventd property_socket:sock_file write;
+neverallow ueventd init:unix_stream_socket connectto;
+neverallow ueventd property_type:property_service set;
+
+# Restrict ueventd access on block devices to maintenence operations.
+neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
+
+# Only relabelto as we would never want to relabelfrom kmem_device or port_device
+neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
diff --git a/uncrypt.te b/public/uncrypt.te
similarity index 84%
rename from uncrypt.te
rename to public/uncrypt.te
index 2d95b88..7ae7d39 100644
--- a/uncrypt.te
+++ b/public/uncrypt.te
@@ -1,9 +1,7 @@
# uncrypt
-type uncrypt, domain, domain_deprecated, mlstrustedsubject;
+type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-init_daemon_domain(uncrypt)
-
allow uncrypt self:capability dac_override;
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
@@ -31,10 +29,10 @@
# Raw writes to block device
allow uncrypt self:capability sys_rawio;
-allow uncrypt block_device:blk_file w_file_perms;
-auditallow uncrypt block_device:blk_file w_file_perms;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
# Access userdata block device.
allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
new file mode 100644
index 0000000..6f29396
--- /dev/null
+++ b/public/untrusted_app.te
@@ -0,0 +1,19 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_app, domain;
diff --git a/public/untrusted_app_25.te b/public/untrusted_app_25.te
new file mode 100644
index 0000000..4ca6e31
--- /dev/null
+++ b/public/untrusted_app_25.te
@@ -0,0 +1,20 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_app_25, domain;
+
diff --git a/public/untrusted_v2_app.te b/public/untrusted_v2_app.te
new file mode 100644
index 0000000..ac82f15
--- /dev/null
+++ b/public/untrusted_v2_app.te
@@ -0,0 +1,5 @@
+###
+### Untrusted v2 sandbox apps.
+###
+
+type untrusted_v2_app, domain;
diff --git a/update_engine.te b/public/update_engine.te
similarity index 75%
rename from update_engine.te
rename to public/update_engine.te
index fa3f05c..b8f0035 100644
--- a/update_engine.te
+++ b/public/update_engine.te
@@ -1,12 +1,14 @@
# Domain for update_engine daemon.
-# update_engine uses the boot_control_hal.
-type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
+type update_engine, domain, update_engine_common;
type update_engine_exec, exec_type, file_type;
-type update_engine_data_file, file_type, data_file_type;
-init_daemon_domain(update_engine);
net_domain(update_engine);
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
+# sockets.
+allow update_engine qtaguid_proc:file rw_file_perms;
+allow update_engine qtaguid_device:chr_file r_file_perms;
+
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:capability { fowner sys_admin };
@@ -26,7 +28,7 @@
# Register the service to perform Binder IPC.
binder_use(update_engine)
-allow update_engine update_engine_service:service_manager { add };
+add_service(update_engine, update_engine_service)
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
@@ -34,3 +36,6 @@
# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
+
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)
diff --git a/update_engine_common.te b/public/update_engine_common.te
similarity index 81%
rename from update_engine_common.te
rename to public/update_engine_common.te
index e70e44d..8e454cc 100644
--- a/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -24,14 +24,19 @@
allow update_engine_common postinstall_file:lnk_file r_file_perms;
allow update_engine_common postinstall_file:dir r_dir_perms;
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
-domain_auto_trans(update_engine_common, postinstall_file, postinstall)
# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.
allow update_engine_common shell_exec:file rx_file_perms;
# Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop };
+allow update_engine_common postinstall:process { signal sigstop sigkill };
+# access /proc/misc
+# Access is also granted to proc:file, but it is likely unneeded
+# due to the more specific grant to proc_misc immediately below.
+allow update_engine proc:file r_file_perms; # delete candidate
+allow update_engine proc_misc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
diff --git a/public/update_verifier.te b/public/update_verifier.te
new file mode 100644
index 0000000..4d4e1f9
--- /dev/null
+++ b/public/update_verifier.te
@@ -0,0 +1,19 @@
+# update_verifier
+type update_verifier, domain;
+type update_verifier_exec, exec_type, file_type;
+
+# Allow update_verifier to reach block devices in /dev/block.
+allow update_verifier block_device:dir search;
+
+# Read care map in /data/ota_package/.
+allow update_verifier ota_package_file:dir r_dir_perms;
+allow update_verifier ota_package_file:file r_file_perms;
+
+# Read all blocks in dm wrapped system partition.
+allow update_verifier dm_device:blk_file r_file_perms;
+
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)
diff --git a/vdc.te b/public/vdc.te
similarity index 85%
rename from vdc.te
rename to public/vdc.te
index d31be65..53d7bbe 100644
--- a/vdc.te
+++ b/public/vdc.te
@@ -5,11 +5,9 @@
# We also transition into this domain from dumpstate, when
# collecting bug reports.
-type vdc, domain, domain_deprecated;
+type vdc, domain;
type vdc_exec, exec_type, file_type;
-init_daemon_domain(vdc)
-
unix_socket_connect(vdc, vold, vold)
# vdc sends information back to dumpstate when "adb bugreport" is used
@@ -24,3 +22,6 @@
# vdc can be invoked with logwrapper, so let it write to pty
allow vdc devpts:chr_file rw_file_perms;
+
+# vdc writes directly to kmsg during the boot process
+allow vdc kmsg_device:chr_file w_file_perms;
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
new file mode 100644
index 0000000..b330542
--- /dev/null
+++ b/public/vendor_shell.te
@@ -0,0 +1,4 @@
+# vendor shell MUST never run as interactive or login shell.
+# vendor shell CAN never be traisitioned to by any process, so it is
+# only intended by shell script interpreter.
+type vendor_shell_exec, exec_type, vendor_file_type, file_type;
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
new file mode 100644
index 0000000..39462f8
--- /dev/null
+++ b/public/vendor_toolbox.te
@@ -0,0 +1,12 @@
+# Toolbox installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+
+# Do not allow domains to transition to vendor toolbox
+# or read, execute the vendor_toolbox file.
+full_treble_only(`
+ # Do not allow non-vendor domains to transition
+ # to vendor toolbox
+ neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+')
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
new file mode 100644
index 0000000..c2800e3
--- /dev/null
+++ b/public/virtual_touchpad.te
@@ -0,0 +1,16 @@
+type virtual_touchpad, domain;
+type virtual_touchpad_exec, exec_type, file_type;
+
+binder_use(virtual_touchpad)
+binder_service(virtual_touchpad)
+add_service(virtual_touchpad, virtual_touchpad_service)
+
+# Needed to check app permissions.
+binder_call(virtual_touchpad, system_server)
+
+# Requires access to /dev/uinput to create and feed the virtual device.
+allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow virtual_touchpad permission_service:service_manager find;
diff --git a/public/vndservice.te b/public/vndservice.te
new file mode 100644
index 0000000..0d309bf
--- /dev/null
+++ b/public/vndservice.te
@@ -0,0 +1 @@
+type default_android_vndservice, vndservice_manager_type;
diff --git a/public/vndservicemanager.te b/public/vndservicemanager.te
new file mode 100644
index 0000000..6b9f73d
--- /dev/null
+++ b/public/vndservicemanager.te
@@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;
diff --git a/vold.te b/public/vold.te
similarity index 79%
rename from vold.te
rename to public/vold.te
index 8cea0c3..81ee28c 100644
--- a/vold.te
+++ b/public/vold.te
@@ -1,13 +1,7 @@
# volume manager
-type vold, domain, domain_deprecated;
+type vold, domain;
type vold_exec, exec_type, file_type;
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
# Read already opened /cache files.
allow vold cache_file:dir r_dir_perms;
allow vold cache_file:file { getattr read };
@@ -16,15 +10,17 @@
# Read access to pseudo filesystems.
r_dir_file(vold, proc)
r_dir_file(vold, proc_net)
-r_dir_file(vold, sysfs)
-r_dir_file(vold, rootfs)
+r_dir_file(vold, sysfs_type)
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file w_file_perms;
+allow vold sysfs_usb:file w_file_perms;
+allow vold sysfs_zram_uevent:file w_file_perms;
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
+r_dir_file(vold, rootfs)
+allow vold proc_meminfo:file r_file_perms;
+
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
@@ -35,6 +31,7 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
@@ -52,14 +49,8 @@
allow vold media_rw_data_file:dir create_dir_perms;
allow vold media_rw_data_file:file create_file_perms;
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
-
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
-allow vold sdcard_type:filesystem { mount unmount remount };
# Manage per-user primary symlinks
allow vold mnt_user_file:dir create_dir_perms;
@@ -74,11 +65,12 @@
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket create_socket_perms;
+allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
-allow vold loop_device:blk_file create_file_perms;
-allow vold vold_device:blk_file create_file_perms;
+allow vold loop_control_device:chr_file rw_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
# For vold Process::killProcessesWithOpenFiles function.
@@ -90,9 +82,6 @@
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
-# TODO: added to match above sysfs rule. Remove me?
-allow vold sysfs_usb:file w_file_perms;
-
allow vold kmsg_device:chr_file rw_file_perms;
# Run fsck in the fsck domain.
@@ -107,7 +96,7 @@
#
# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount remount };
+allow vold labeledfs:filesystem { mount unmount };
# Access /efs/userdata_footer.
# XXX Split into a separate type?
@@ -128,7 +117,6 @@
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
-security_access_policy(vold)
allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
allow vold asec_public_file:dir { relabelto setattr };
allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
@@ -145,7 +133,7 @@
binder_call(vold, healthd)
# talk to keymaster
-allow vold tee_device:chr_file rw_file_perms;
+hal_client_domain(vold, hal_keymaster)
# Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms;
@@ -181,24 +169,19 @@
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
-# coldboot of /sys/block
-allow vold sysfs_zram:dir r_dir_perms;
-allow vold sysfs_zram_uevent:file rw_file_perms;
-
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
allow vold user_profile_data_file:dir create_dir_perms;
-allow vold user_profile_foreign_dex_data_file:dir { getattr setattr };
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;
-neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
neverallow { domain -vold -init } restorecon_prop:property_service set;
neverallow vold fsck_exec:file execute_no_trans;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
new file mode 100644
index 0000000..c05dd63
--- /dev/null
+++ b/public/vr_hwc.te
@@ -0,0 +1,31 @@
+type vr_hwc, domain;
+type vr_hwc_exec, exec_type, file_type;
+
+# Get buffer metadata.
+hal_client_domain(vr_hwc, hal_graphics_allocator)
+
+binder_use(vr_hwc)
+binder_service(vr_hwc)
+
+binder_call(vr_hwc, surfaceflinger)
+# Needed to check for app permissions.
+binder_call(vr_hwc, system_server)
+
+add_service(vr_hwc, vr_hwc_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_hwc)
+
+# Load vendor libraries.
+allow vr_hwc system_file:dir r_dir_perms;
+
+allow vr_hwc ion_device:chr_file r_file_perms;
+
+# Allow connection to VR DisplayClient to get the primary display metadata
+# (ie: size).
+pdx_client(vr_hwc, display_client)
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow vr_hwc permission_service:service_manager find;
diff --git a/watchdogd.te b/public/watchdogd.te
similarity index 100%
rename from watchdogd.te
rename to public/watchdogd.te
diff --git a/public/webview_zygote.te b/public/webview_zygote.te
new file mode 100644
index 0000000..5d19b32
--- /dev/null
+++ b/public/webview_zygote.te
@@ -0,0 +1,5 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+type webview_zygote, domain;
+type webview_zygote_exec, exec_type, file_type;
diff --git a/public/wificond.te b/public/wificond.te
new file mode 100644
index 0000000..c91053e
--- /dev/null
+++ b/public/wificond.te
@@ -0,0 +1,35 @@
+# wificond
+type wificond, domain;
+type wificond_exec, exec_type, file_type;
+
+binder_use(wificond)
+binder_call(wificond, system_server)
+
+add_service(wificond, wificond_service)
+
+set_prop(wificond, wifi_prop)
+set_prop(wificond, ctl_default_prop)
+
+# create sockets to set interfaces up and down
+allow wificond self:udp_socket create_socket_perms;
+# setting interface state up/down is a privileged ioctl
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
+allow wificond self:capability { net_admin net_raw };
+# allow wificond to speak to nl80211 in the kernel
+allow wificond self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+r_dir_file(wificond, proc_net)
+
+# wificond writes out configuration files for wpa_supplicant/hostapd.
+# wificond also reads pid files out of this directory
+allow wificond wifi_data_file:dir rw_dir_perms;
+allow wificond wifi_data_file:file create_file_perms;
+
+# allow wificond to check permission for dumping logs
+allow wificond permission_service:service_manager find;
+
+# dumpstate support
+allow wificond dumpstate:fd use;
+allow wificond dumpstate:fifo_file write;
diff --git a/public/zygote.te b/public/zygote.te
new file mode 100644
index 0000000..83c42ef
--- /dev/null
+++ b/public/zygote.te
@@ -0,0 +1,3 @@
+# zygote
+type zygote, domain;
+type zygote_exec, exec_type, file_type;
diff --git a/reqd_mask/access_vectors b/reqd_mask/access_vectors
new file mode 120000
index 0000000..8312c07
--- /dev/null
+++ b/reqd_mask/access_vectors
@@ -0,0 +1 @@
+../private/access_vectors
\ No newline at end of file
diff --git a/reqd_mask/initial_sid_contexts b/reqd_mask/initial_sid_contexts
new file mode 100644
index 0000000..aa465cd
--- /dev/null
+++ b/reqd_mask/initial_sid_contexts
@@ -0,0 +1 @@
+sid reqd_mask u:r:reqd_mask_type:s0
diff --git a/reqd_mask/initial_sids b/reqd_mask/initial_sids
new file mode 100644
index 0000000..366cfb1
--- /dev/null
+++ b/reqd_mask/initial_sids
@@ -0,0 +1,3 @@
+sid reqd_mask
+
+# FLASK
diff --git a/reqd_mask/keys.conf b/reqd_mask/keys.conf
new file mode 100644
index 0000000..ce7166b
--- /dev/null
+++ b/reqd_mask/keys.conf
@@ -0,0 +1,2 @@
+# empty keys.conf file - used to generate an empty nonplat_mac_permissions.xml
+# on devices without any keys.conf or mac_permissions additions.
diff --git a/reqd_mask/mac_permissions.xml b/reqd_mask/mac_permissions.xml
new file mode 100644
index 0000000..ef9c6dd
--- /dev/null
+++ b/reqd_mask/mac_permissions.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+</policy>
diff --git a/reqd_mask/mls b/reqd_mask/mls
new file mode 100644
index 0000000..d276924
--- /dev/null
+++ b/reqd_mask/mls
@@ -0,0 +1 @@
+mlsconstrain binder { set_context_mgr } (l1 eq l2);
diff --git a/reqd_mask/mls_decl b/reqd_mask/mls_decl
new file mode 120000
index 0000000..5c505c9
--- /dev/null
+++ b/reqd_mask/mls_decl
@@ -0,0 +1 @@
+../private/mls_decl
\ No newline at end of file
diff --git a/reqd_mask/mls_macros b/reqd_mask/mls_macros
new file mode 120000
index 0000000..323dd57
--- /dev/null
+++ b/reqd_mask/mls_macros
@@ -0,0 +1 @@
+../private/mls_macros
\ No newline at end of file
diff --git a/reqd_mask/property_contexts b/reqd_mask/property_contexts
new file mode 100644
index 0000000..8e0bdbb
--- /dev/null
+++ b/reqd_mask/property_contexts
@@ -0,0 +1,3 @@
+# empty property_contexts file - this file is used to generate an empty
+# non-platform property context for devices without any property_contexts
+# customizations.
diff --git a/reqd_mask/reqd_mask.te b/reqd_mask/reqd_mask.te
new file mode 100644
index 0000000..f77eef4
--- /dev/null
+++ b/reqd_mask/reqd_mask.te
@@ -0,0 +1 @@
+type reqd_mask_type;
diff --git a/reqd_mask/roles b/reqd_mask/roles
new file mode 100644
index 0000000..926cb7a
--- /dev/null
+++ b/reqd_mask/roles
@@ -0,0 +1 @@
+role r types reqd_mask_type;
diff --git a/reqd_mask/roles_decl b/reqd_mask/roles_decl
new file mode 100644
index 0000000..c84fcba
--- /dev/null
+++ b/reqd_mask/roles_decl
@@ -0,0 +1 @@
+role r;
diff --git a/reqd_mask/seapp_contexts b/reqd_mask/seapp_contexts
new file mode 100644
index 0000000..0f4e0ad
--- /dev/null
+++ b/reqd_mask/seapp_contexts
@@ -0,0 +1,2 @@
+# empty seapp_contexts file - used to generate an empty seapp_contexts for
+# devices without any non-platform seapp_contexts customizations.
diff --git a/reqd_mask/security_classes b/reqd_mask/security_classes
new file mode 120000
index 0000000..40c1d1d
--- /dev/null
+++ b/reqd_mask/security_classes
@@ -0,0 +1 @@
+../private/security_classes
\ No newline at end of file
diff --git a/reqd_mask/service_contexts b/reqd_mask/service_contexts
new file mode 100644
index 0000000..481967b
--- /dev/null
+++ b/reqd_mask/service_contexts
@@ -0,0 +1,3 @@
+# empty service_contexts file - this file is used to generate an empty
+# non-platform service_context for devices without any service_contexts
+# customizations.
diff --git a/users b/reqd_mask/users
similarity index 100%
copy from users
copy to reqd_mask/users
diff --git a/seapp_contexts b/seapp_contexts
deleted file mode 100644
index 5d5ad75..0000000
--- a/seapp_contexts
+++ /dev/null
@@ -1,99 +0,0 @@
-# Input selectors:
-# isSystemServer (boolean)
-# isAutoPlayApp (boolean)
-# isOwner (boolean)
-# user (string)
-# seinfo (string)
-# name (string)
-# path (string)
-# isPrivApp (boolean)
-# isSystemServer=true can only be used once.
-# An unspecified isSystemServer defaults to false.
-# isAutoPlayApp=true will match apps marked by PackageManager as AutoPlay
-# isOwner=true will only match for the owner/primary user.
-# isOwner=false will only match for secondary users.
-# If unspecified, the entry can match either case.
-# An unspecified string selector will match any value.
-# A user string selector that ends in * will perform a prefix match.
-# user=_app will match any regular app UID.
-# user=_isolated will match any isolated service UID.
-# isPrivApp=true will only match for applications preinstalled in
-# /system/priv-app.
-# All specified input selectors in an entry must match (i.e. logical AND).
-# Matching is case-insensitive.
-#
-# Precedence rules:
-# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isAutoPlayApp= before unspecified isAutoPlayApp= boolean.
-# (3) Specified isOwner= before unspecified isOwner= boolean.
-# (4) Specified user= string before unspecified user= string.
-# (5) Fixed user= string before user= prefix (i.e. ending in *).
-# (6) Longer user= prefix before shorter user= prefix.
-# (7) Specified seinfo= string before unspecified seinfo= string.
-# ':' character is reserved and may not be used.
-# (8) Specified name= string before unspecified name= string.
-# (9) Specified path= string before unspecified path= string.
-# (10) Specified isPrivApp= before unspecified isPrivApp= boolean.
-#
-# Outputs:
-# domain (string)
-# type (string)
-# levelFrom (string; one of none, all, app, or user)
-# level (string)
-# Only entries that specify domain= will be used for app process labeling.
-# Only entries that specify type= will be used for app directory labeling.
-# levelFrom=user is only supported for _app or _isolated UIDs.
-# levelFrom=app or levelFrom=all is only supported for _app UIDs.
-# level may be used to specify a fixed level for any UID.
-#
-#
-# Neverallow Assertions
-# Additional compile time assertion checks can be added as well. The assertion
-# rules are lines beginning with the keyword neverallow. Full support for PCRE
-# regular expressions exists on all input and output selectors. Neverallow
-# rules are never output to the built seapp_contexts file. Like all keywords,
-# neverallows are case-insensitive. A neverallow is asserted when all key value
-# inputs are matched on a key value rule line.
-#
-
-# only the system server can be in system_server domain
-neverallow isSystemServer=false domain=system_server
-neverallow isSystemServer="" domain=system_server
-
-# system domains should never be assigned outside of system uid
-neverallow user=((?!system).)* domain=system_app
-neverallow user=((?!system).)* type=system_app_data_file
-
-# anything with a non-known uid with a specified name should have a specified seinfo
-neverallow user=_app name=.* seinfo=""
-neverallow user=_app name=.* seinfo=default
-
-# neverallow shared relro to any other domain
-# and neverallow any other uid into shared_relro
-neverallow user=shared_relro domain=((?!shared_relro).)*
-neverallow user=((?!shared_relro).)* domain=shared_relro
-
-# neverallow non-isolated uids into isolated_app domain
-# and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
-neverallow user=((?!_isolated).)* domain=isolated_app
-
-# uid shell should always be in shell domain, however non-shell
-# uid's can be in shell domain
-neverallow user=shell domain=((?!shell).)*
-
-# AutoPlay Apps must run in the autoplay_app domain
-neverallow isAutoPlayApp=true domain=((?!autoplay_app).)*
-
-isSystemServer=true domain=system_server
-user=system seinfo=platform domain=system_app type=system_app_data_file
-user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=nfc seinfo=platform domain=nfc type=nfc_data_file
-user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell type=shell_data_file
-user=_isolated domain=isolated_app levelFrom=user
-user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isAutoPlayApp=true domain=autoplay_app type=autoplay_data_file levelFrom=all
-user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
-user=_app domain=untrusted_app type=app_data_file levelFrom=user
diff --git a/service.te b/service.te
deleted file mode 100644
index 9a77ce2..0000000
--- a/service.te
+++ /dev/null
@@ -1,122 +0,0 @@
-type audioserver_service, service_manager_type;
-type bluetooth_service, service_manager_type;
-type cameraserver_service, service_manager_type;
-type default_android_service, service_manager_type;
-type drmserver_service, service_manager_type;
-type gatekeeper_service, app_api_service, service_manager_type;
-type fingerprintd_service, service_manager_type;
-type batteryproperties_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
-type inputflinger_service, service_manager_type;
-type keystore_service, service_manager_type;
-type mediaserver_service, service_manager_type;
-type mediaextractor_service, service_manager_type;
-type mediacodec_service, service_manager_type;
-type mediadrmserver_service, service_manager_type;
-type netd_service, service_manager_type;
-type nfc_service, service_manager_type;
-type radio_service, service_manager_type;
-type surfaceflinger_service, service_manager_type;
-type system_app_service, service_manager_type;
-type update_engine_service, service_manager_type;
-
-# system_server_services broken down
-type accessibility_service, app_api_service, system_server_service, service_manager_type;
-type account_service, app_api_service, system_server_service, service_manager_type;
-type activity_service, app_api_service, system_server_service, service_manager_type;
-type alarm_service, app_api_service, system_server_service, service_manager_type;
-type appops_service, app_api_service, system_server_service, service_manager_type;
-type appwidget_service, app_api_service, system_server_service, service_manager_type;
-type assetatlas_service, app_api_service, system_server_service, service_manager_type;
-type audio_service, app_api_service, system_server_service, service_manager_type;
-type backup_service, app_api_service, system_server_service, service_manager_type;
-type batterystats_service, app_api_service, system_server_service, service_manager_type;
-type battery_service, system_server_service, service_manager_type;
-type bluetooth_manager_service, app_api_service, system_server_service, service_manager_type;
-type cameraproxy_service, system_server_service, service_manager_type;
-type clipboard_service, app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, system_server_service, service_manager_type;
-type IProxyService_service, app_api_service, system_server_service, service_manager_type;
-type commontime_management_service, system_server_service, service_manager_type;
-type connectivity_service, app_api_service, system_server_service, service_manager_type;
-type connmetrics_service, app_api_service, system_server_service, service_manager_type;
-type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
-type content_service, app_api_service, system_server_service, service_manager_type;
-type country_detector_service, app_api_service, system_server_service, service_manager_type;
-type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
-type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type deviceidle_service, app_api_service, system_server_service, service_manager_type;
-type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, system_api_service, system_server_service, service_manager_type;
-type display_service, app_api_service, system_server_service, service_manager_type;
-type netd_listener_service, system_server_service, service_manager_type;
-type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, app_api_service, system_server_service, service_manager_type;
-type dropbox_service, app_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, app_api_service, system_server_service, service_manager_type;
-type hardware_service, system_server_service, service_manager_type;
-type hardware_properties_service, app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
-type input_method_service, app_api_service, system_server_service, service_manager_type;
-type input_service, app_api_service, system_server_service, service_manager_type;
-type imms_service, app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, app_api_service, system_server_service, service_manager_type;
-type launcherapps_service, app_api_service, system_server_service, service_manager_type;
-type location_service, app_api_service, system_server_service, service_manager_type;
-type lock_settings_service, system_api_service, system_server_service, service_manager_type;
-type media_projection_service, app_api_service, system_server_service, service_manager_type;
-type media_router_service, app_api_service, system_server_service, service_manager_type;
-type media_session_service, app_api_service, system_server_service, service_manager_type;
-type meminfo_service, system_api_service, system_server_service, service_manager_type;
-type midi_service, app_api_service, system_server_service, service_manager_type;
-type mount_service, app_api_service, system_server_service, service_manager_type;
-type netpolicy_service, app_api_service, system_server_service, service_manager_type;
-type netstats_service, app_api_service, system_server_service, service_manager_type;
-type network_management_service, app_api_service, system_server_service, service_manager_type;
-type network_score_service, system_api_service, system_server_service, service_manager_type;
-type network_time_update_service, system_server_service, service_manager_type;
-type notification_service, app_api_service, system_server_service, service_manager_type;
-type otadexopt_service, system_server_service, service_manager_type;
-type package_service, app_api_service, system_server_service, service_manager_type;
-type permission_service, app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
-type pinner_service, system_server_service, service_manager_type;
-type power_service, app_api_service, system_server_service, service_manager_type;
-type print_service, app_api_service, system_server_service, service_manager_type;
-type processinfo_service, system_server_service, service_manager_type;
-type procstats_service, app_api_service, system_server_service, service_manager_type;
-type recovery_service, system_server_service, service_manager_type;
-type registry_service, app_api_service, system_server_service, service_manager_type;
-type restrictions_service, app_api_service, system_server_service, service_manager_type;
-type rttmanager_service, app_api_service, system_server_service, service_manager_type;
-type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, system_server_service, service_manager_type;
-type search_service, app_api_service, system_server_service, service_manager_type;
-type sensorservice_service, app_api_service, system_server_service, service_manager_type;
-type serial_service, system_api_service, system_server_service, service_manager_type;
-type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, system_server_service, service_manager_type;
-type statusbar_service, app_api_service, system_server_service, service_manager_type;
-type task_service, system_server_service, service_manager_type;
-type textservices_service, app_api_service, system_server_service, service_manager_type;
-type telecom_service, app_api_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, system_server_service, service_manager_type;
-type tv_input_service, app_api_service, system_server_service, service_manager_type;
-type uimode_service, app_api_service, system_server_service, service_manager_type;
-type updatelock_service, system_api_service, system_server_service, service_manager_type;
-type usagestats_service, app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, system_server_service, service_manager_type;
-type user_service, app_api_service, system_server_service, service_manager_type;
-type vibrator_service, app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
-type vr_manager_service, system_server_service, service_manager_type;
-type wallpaper_service, app_api_service, system_server_service, service_manager_type;
-type webviewupdate_service, app_api_service, system_server_service, service_manager_type;
-type wifip2p_service, app_api_service, system_server_service, service_manager_type;
-type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, app_api_service, system_server_service, service_manager_type;
-type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/servicemanager.te b/servicemanager.te
deleted file mode 100644
index 84605d1..0000000
--- a/servicemanager.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# servicemanager - the Binder context manager
-type servicemanager, domain, domain_deprecated, mlstrustedsubject;
-type servicemanager_exec, exec_type, file_type;
-
-init_daemon_domain(servicemanager)
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
-
-# Check SELinux permissions.
-selinux_check_access(servicemanager)
diff --git a/surfaceflinger.te b/surfaceflinger.te
deleted file mode 100644
index 7364e5f..0000000
--- a/surfaceflinger.te
+++ /dev/null
@@ -1,73 +0,0 @@
-# surfaceflinger - display compositor service
-type surfaceflinger, domain, domain_deprecated;
-type surfaceflinger_exec, exec_type, file_type;
-
-init_daemon_domain(surfaceflinger)
-typeattribute surfaceflinger mlstrustedsubject;
-
-# Perform Binder IPC.
-binder_use(surfaceflinger)
-binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, { appdomain autoplay_app })
-binder_call(surfaceflinger, bootanim)
-binder_service(surfaceflinger)
-
-# Binder IPC to bu, presently runs in adbd domain.
-binder_call(surfaceflinger, adbd)
-
-# Read /proc/pid files for Binder clients.
-r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, { appdomain autoplay_app })
-
-# Access the GPU.
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file rw_file_perms;
-
-# Access /dev/video1.
-allow surfaceflinger video_device:dir r_dir_perms;
-allow surfaceflinger video_device:chr_file rw_file_perms;
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
-
-# Set properties.
-set_prop(surfaceflinger, system_prop)
-set_prop(surfaceflinger, ctl_bootanim_prop)
-
-# Use open files supplied by an app.
-allow surfaceflinger { appdomain autoplay_app }:fd use;
-allow surfaceflinger app_data_file:file { read write };
-
-# Allow a dumpstate triggered screenshot
-binder_call(surfaceflinger, dumpstate)
-binder_call(surfaceflinger, shell)
-r_dir_file(surfaceflinger, dumpstate)
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-allow surfaceflinger tee:unix_stream_socket connectto;
-allow surfaceflinger tee_device:chr_file rw_file_perms;
-
-
-# media.player service
-allow surfaceflinger mediaserver_service:service_manager find;
-allow surfaceflinger permission_service:service_manager find;
-allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger gpu_service:service_manager { add find };
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
-allow surfaceflinger window_service:service_manager find;
-
-# allow self to set SCHED_FIFO
-allow surfaceflinger self:capability sys_nice;
-
-###
-### Neverallow rules
-###
-### surfaceflinger should NEVER do any of this
-
-# Do not allow accessing SDcard files as unsafe ejection could
-# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
diff --git a/te_macros b/te_macros
deleted file mode 100644
index 488ef9b..0000000
--- a/te_macros
+++ /dev/null
@@ -1,359 +0,0 @@
-#####################################
-# domain_trans(olddomain, type, newdomain)
-# Allow a transition from olddomain to newdomain
-# upon executing a file labeled with type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use domain_auto_trans
-# if that is what you want.
-#
-define(`domain_trans', `
-# Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute };
-allow $1 $3:process transition;
-# New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr };
-# New domain can send SIGCHLD to its caller.
-allow $3 $1:process sigchld;
-# Enable AT_SECURE, i.e. libc secure mode.
-dontaudit $1 $3:process noatsecure;
-# XXX dontaudit candidate but requires further study.
-allow $1 $3:process { siginh rlimitinh };
-')
-
-#####################################
-# domain_auto_trans(olddomain, type, newdomain)
-# Automatically transition from olddomain to newdomain
-# upon executing a file labeled with type.
-#
-define(`domain_auto_trans', `
-# Allow the necessary permissions.
-domain_trans($1,$2,$3)
-# Make the transition occur by default.
-type_transition $1 $2:process $3;
-')
-
-#####################################
-# file_type_trans(domain, dir_type, file_type)
-# Allow domain to create a file labeled file_type in a
-# directory labeled dir_type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use file_type_auto_trans
-# if that is what you want.
-#
-define(`file_type_trans', `
-# Allow the domain to add entries to the directory.
-allow $1 $2:dir ra_dir_perms;
-# Allow the domain to create the file.
-allow $1 $3:notdevfile_class_set create_file_perms;
-allow $1 $3:dir create_dir_perms;
-')
-
-#####################################
-# file_type_auto_trans(domain, dir_type, file_type)
-# Automatically label new files with file_type when
-# they are created by domain in directories labeled dir_type.
-#
-define(`file_type_auto_trans', `
-# Allow the necessary permissions.
-file_type_trans($1, $2, $3)
-# Make the transition occur by default.
-type_transition $1 $2:dir $3;
-type_transition $1 $2:notdevfile_class_set $3;
-')
-
-#####################################
-# r_dir_file(domain, type)
-# Allow the specified domain to read directories, files
-# and symbolic links of the specified type.
-define(`r_dir_file', `
-allow $1 $2:dir r_dir_perms;
-allow $1 $2:{ file lnk_file } r_file_perms;
-')
-
-#####################################
-# tmpfs_domain(domain)
-# Define and allow access to a unique type for
-# this domain when creating tmpfs / shmem / ashmem files.
-define(`tmpfs_domain', `
-type $1_tmpfs, file_type;
-type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write };
-')
-
-#####################################
-# init_daemon_domain(domain)
-# Set up a transition from init to the daemon domain
-# upon executing its binary.
-define(`init_daemon_domain', `
-domain_auto_trans(init, $1_exec, $1)
-tmpfs_domain($1)
-')
-
-#####################################
-# app_domain(domain)
-# Allow a base set of permissions required for all apps.
-define(`app_domain', `
-typeattribute $1 appdomain;
-# Label ashmem objects with our own unique type.
-tmpfs_domain($1)
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file execute;
-')
-
-#####################################
-# net_domain(domain)
-# Allow a base set of permissions required for network access.
-define(`net_domain', `
-typeattribute $1 netdomain;
-')
-
-#####################################
-# bluetooth_domain(domain)
-# Allow a base set of permissions required for bluetooth access.
-define(`bluetooth_domain', `
-typeattribute $1 bluetoothdomain;
-')
-
-#####################################
-# unix_socket_connect(clientdomain, socket, serverdomain)
-# Allow a local socket connection from clientdomain via
-# socket to serverdomain.
-#
-# Note: If you see denial records that distill to the
-# following allow rules:
-# allow clientdomain property_socket:sock_file write;
-# allow clientdomain init:unix_stream_socket connectto;
-# allow clientdomain something_prop:property_service set;
-#
-# This sequence is indicative of attempting to set a property.
-# use set_prop(sourcedomain, targetproperty)
-#
-define(`unix_socket_connect', `
-ifelse($2, `property', `
- ifelse($3,`init', `
- print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
- ')
-')
-__unix_socket_connect__($1, $2, $3)
-')
-
-define(`__unix_socket_connect__', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_stream_socket connectto;
-')
-
-#####################################
-# set_prop(sourcedomain, targetproperty)
-# Allows source domain to set the
-# targetproperty.
-#
-define(`set_prop', `
-__unix_socket_connect__($1, property, init)
-allow $1 $2:property_service set;
-get_prop($1, $2)
-')
-
-#####################################
-# get_prop(sourcedomain, targetproperty)
-# Allows source domain to read the
-# targetproperty.
-#
-define(`get_prop', `
-allow $1 $2:file r_file_perms;
-')
-
-#####################################
-# unix_socket_send(clientdomain, socket, serverdomain)
-# Allow a local socket send from clientdomain via
-# socket to serverdomain.
-define(`unix_socket_send', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_dgram_socket sendto;
-')
-
-#####################################
-# binder_use(domain)
-# Allow domain to use Binder IPC.
-define(`binder_use', `
-# Call the servicemanager and transfer references to it.
-allow $1 servicemanager:binder { call transfer };
-# servicemanager performs getpidcon on clients.
-allow servicemanager $1:dir search;
-allow servicemanager $1:file { read open };
-allow servicemanager $1:process getattr;
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# binder_call(clientdomain, serverdomain)
-# Allow clientdomain to perform binder IPC to serverdomain.
-define(`binder_call', `
-# Call the server domain and optionally transfer references to it.
-allow $1 $2:binder { call transfer };
-# Allow the serverdomain to transfer references to the client on the reply.
-allow $2 $1:binder transfer;
-# Receive and use open files from the server.
-allow $1 $2:fd use;
-')
-
-#####################################
-# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
-define(`binder_service', `
-typeattribute $1 binderservicedomain;
-')
-
-#####################################
-# wakelock_use(domain)
-# Allow domain to manage wake locks
-define(`wakelock_use', `
-# Access /sys/power/wake_lock and /sys/power/wake_unlock
-allow $1 sysfs_wake_lock:file rw_file_perms;
-# Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:capability2 block_suspend;
-')
-
-#####################################
-# selinux_check_access(domain)
-# Allow domain to check SELinux permissions via selinuxfs.
-define(`selinux_check_access', `
-allow $1 selinuxfs:file rw_file_perms;
-allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
-')
-
-#####################################
-# selinux_check_context(domain)
-# Allow domain to check SELinux contexts via selinuxfs.
-define(`selinux_check_context', `
-allow $1 selinuxfs:file rw_file_perms;
-allow $1 kernel:security check_context;
-')
-
-#####################################
-# selinux_setenforce(domain)
-# Allow domain to set SELinux to enforcing.
-define(`selinux_setenforce', `
-allow $1 selinuxfs:file rw_file_perms;
-allow $1 kernel:security setenforce;
-')
-
-#####################################
-# selinux_setbool(domain)
-# Allow domain to set SELinux booleans.
-define(`selinux_setbool', `
-allow $1 selinuxfs:file rw_file_perms;
-allow $1 kernel:security setbool;
-')
-
-#####################################
-# security_access_policy(domain)
-# Read only access to all policy files and
-# selinuxfs
-define(`security_access_policy', `
-allow $1 security_file:dir r_dir_perms;
-allow $1 security_file:file r_file_perms;
-')
-
-#####################################
-# mmac_manage_policy(domain)
-# Ability to manage mmac policy files,
-# trigger runtime reload, change
-# mmac enforcing mode and access logcat.
-define(`mmac_manage_policy', `
-allow $1 security_file:dir create_dir_perms;
-allow $1 security_file:file create_file_perms;
-allow $1 security_file:lnk_file { create rename unlink };
-set_prop($1, security_prop)
-')
-
-#####################################
-# create_pty(domain)
-# Allow domain to create and use a pty, isolated from any other domain ptys.
-define(`create_pty', `
-# Each domain gets a unique devpts type.
-type $1_devpts, fs_type;
-# Label the pty with the unique type when created.
-type_transition $1 devpts:chr_file $1_devpts;
-# Allow use of the pty after creation.
-allow $1 $1_devpts:chr_file { open getattr read write ioctl };
-# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
-# allowed to everyone via domain.te.
-')
-
-#####################################
-# Non system_app application set
-#
-define(`non_system_app_set', `{ appdomain -system_app }')
-
-#####################################
-# Recovery only
-# SELinux rules which apply only to recovery mode
-#
-define(`recovery_only', ifelse(target_recovery, `true', $1, ))
-
-#####################################
-# Userdebug or eng builds
-# SELinux rules which apply only to userdebug or eng builds
-#
-define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-define(`eng', ifelse(target_build_variant, `eng', $1))
-
-#####################################
-# write_logd(domain)
-# Ability to write to android log
-# daemon via sockets
-define(`write_logd', `
-unix_socket_send($1, logdw, logd)
-allow $1 pmsg_device:chr_file w_file_perms;
-')
-
-#####################################
-# read_logd(domain)
-# Ability to run logcat and read from android
-# log daemon via sockets
-define(`read_logd', `
-allow $1 logcat_exec:file rx_file_perms;
-unix_socket_connect($1, logdr, logd)
-')
-
-#####################################
-# control_logd(domain)
-# Ability to control
-# android log daemon via sockets
-define(`control_logd', `
-# Group AID_LOG checked by filesystem & logd
-# to permit control commands
-unix_socket_connect($1, logd, logd)
-')
-
-#####################################
-# use_keystore(domain)
-# Ability to use keystore.
-# Keystore is requires the following permissions
-# to call getpidcon.
-define(`use_keystore', `
- allow keystore $1:dir search;
- allow keystore $1:file { read open };
- allow keystore $1:process getattr;
- allow $1 keystore_service:service_manager find;
- binder_call($1, keystore)
-')
-
-###########################################
-# use_drmservice(domain)
-# Ability to use DrmService which requires
-# DrmService to call getpidcon.
-define(`use_drmservice', `
- allow drmserver $1:dir search;
- allow drmserver $1:file { read open };
- allow drmserver $1:process getattr;
-')
-
-##########################################
-# print a message with a trailing newline
-# print(`args')
-define(`print', `errprint(`m4: '__file__: __line__`: $*
-')')
diff --git a/tee.te b/tee.te
deleted file mode 100644
index 8ea6b95..0000000
--- a/tee.te
+++ /dev/null
@@ -1,15 +0,0 @@
-##
-# trusted execution environment (tee) daemon
-#
-type tee, domain, domain_deprecated;
-type tee_exec, exec_type, file_type;
-type tee_device, dev_type;
-type tee_data_file, file_type, data_file_type;
-
-init_daemon_domain(tee)
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket create_socket_perms;
-allow tee self:netlink_generic_socket create_socket_perms;
diff --git a/tools/Android.mk b/tools/Android.mk
index 98f562c..1948b7a 100644
--- a/tools/Android.mk
+++ b/tools/Android.mk
@@ -4,13 +4,10 @@
LOCAL_MODULE := checkseapp
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := \
- external/pcre \
- external/selinux/libsepol/include
LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror
LOCAL_SRC_FILES := check_seapp.c
LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_WHOLE_STATIC_LIBRARIES := libpcre
+LOCAL_WHOLE_STATIC_LIBRARIES := libpcre2
LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
@@ -20,8 +17,6 @@
LOCAL_MODULE := checkfc
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/selinux/libsepol/include \
- external/libselinux/include
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := checkfc.c
LOCAL_STATIC_LIBRARIES := libsepol libselinux
@@ -44,7 +39,6 @@
LOCAL_MODULE := sepolicy-check
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/selinux/libsepol/include
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := sepolicy-check.c
LOCAL_STATIC_LIBRARIES := libsepol
@@ -52,4 +46,17 @@
include $(BUILD_HOST_EXECUTABLE)
+###################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := version_policy
+LOCAL_MODULE_TAGS := optional
+LOCAL_CFLAGS := -Wall -Werror
+LOCAL_SRC_FILES := version_policy.c
+LOCAL_SHARED_LIBRARIES := libsepol
+LOCAL_CXX_STL := none
+
+include $(BUILD_HOST_EXECUTABLE)
+
+
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index a8b7bd8..c23c1f6 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -11,7 +11,7 @@
#include <stdbool.h>
#include <sepol/sepol.h>
#include <sepol/policydb/policydb.h>
-#include <pcre.h>
+#include <pcre2.h>
#define TABLE_SIZE 1024
#define KVP_NUM_OF_RULES (sizeof(rules) / sizeof(key_map))
@@ -23,7 +23,7 @@
/**
* Initializes an empty, static list.
*/
-#define list_init(free_fn) { .head = NULL, .tail = NULL, .freefn = free_fn }
+#define list_init(free_fn) { .head = NULL, .tail = NULL, .freefn = (free_fn) }
/**
* given an item in the list, finds the offset for the container
@@ -35,7 +35,7 @@
*
*/
#define list_entry(element, type, name) \
- (type *)(((uint8_t *)element) - (uint8_t *)&(((type *)NULL)->name))
+ (type *)(((uint8_t *)(element)) - (uint8_t *)&(((type *)NULL)->name))
/**
* Iterates over the list, do not free elements from the list when using this.
@@ -43,7 +43,7 @@
* @var The variable name for the cursor
*/
#define list_for_each(list, var) \
- for(var = (list)->head; var != NULL; var = var->next)
+ for(var = (list)->head; var != NULL; var = var->next) /*NOLINT*/
typedef struct hash_entry hash_entry;
@@ -91,8 +91,8 @@
};
struct key_map_regex {
- pcre *compiled;
- pcre_extra *extra;
+ pcre2_code *compiled;
+ pcre2_match_data *match_data;
};
/**
@@ -194,6 +194,7 @@
static bool validate_levelFrom(char *value, char **errmsg);
static bool validate_selinux_type(char *value, char **errmsg);
static bool validate_selinux_level(char *value, char **errmsg);
+static bool validate_uint(char *value, char **errmsg);
/**
* The heart of the mapping process, this must be updated if a new key value pair is added
@@ -202,13 +203,15 @@
key_map rules[] = {
/*Inputs*/
{ .name = "isSystemServer", .dir = dir_in, .fn_validate = validate_bool },
- { .name = "isAutoPlayApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isEphemeralApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "isV2App", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "isOwner", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "user", .dir = dir_in, },
{ .name = "seinfo", .dir = dir_in, },
{ .name = "name", .dir = dir_in, },
{ .name = "path", .dir = dir_in, },
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
+ { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_selinux_type },
{ .name = "type", .dir = dir_out, .fn_validate = validate_selinux_type },
@@ -320,14 +323,15 @@
char *tomatch = check->data;
- int ret = pcre_exec(assert->regex.compiled, assert->regex.extra, tomatch,
- strlen(tomatch), 0, 0, NULL, 0);
+ int ret = pcre2_match(assert->regex.compiled, (PCRE2_SPTR) tomatch,
+ PCRE2_ZERO_TERMINATED, 0, 0,
+ assert->regex.match_data, NULL);
- /* 0 from pcre_exec means matched */
- return !ret;
+ /* ret > 0 from pcre2_match means matched */
+ return ret > 0;
}
-static bool compile_regex(key_map *km, const char **errbuf, int *erroff) {
+static bool compile_regex(key_map *km, int *errcode, PCRE2_SIZE *erroff) {
size_t size;
char *anchored;
@@ -341,13 +345,21 @@
anchored = alloca(size);
sprintf(anchored, "^%s$", km->data);
- km->regex.compiled = pcre_compile(anchored, PCRE_DOTALL, errbuf, erroff,
- NULL );
+ km->regex.compiled = pcre2_compile((PCRE2_SPTR) anchored,
+ PCRE2_ZERO_TERMINATED,
+ PCRE2_DOTALL,
+ errcode, erroff,
+ NULL);
if (!km->regex.compiled) {
return false;
}
- km->regex.extra = pcre_study(km->regex.compiled, 0, errbuf);
+ km->regex.match_data = pcre2_match_data_create_from_pattern(
+ km->regex.compiled, NULL);
+ if (!km->regex.match_data) {
+ pcre2_code_free(km->regex.compiled);
+ return false;
+ }
return true;
}
@@ -408,6 +420,19 @@
return true;
}
+static bool validate_uint(char *value, char **errmsg) {
+
+ char *endptr;
+ long longvalue;
+ longvalue = strtol(value, &endptr, 10);
+ if (('\0' != *endptr) || (longvalue < 0) || (longvalue > INT32_MAX)) {
+ *errmsg = "Expecting a valid unsigned integer";
+ return false;
+ }
+
+ return true;
+}
+
/**
* Validates a key_map against a set of enforcement rules, this
* function exits the application on a type that cannot be properly
@@ -423,12 +448,13 @@
static bool key_map_validate(key_map *m, const char *filename, int lineno,
bool is_neverallow) {
- int erroff;
- const char *errbuf;
+ PCRE2_SIZE erroff;
+ int errcode;
bool rc = true;
char *key = m->name;
char *value = m->data;
char *errmsg = NULL;
+ char errstr[256];
log_info("Validating %s=%s\n", key, value);
@@ -438,10 +464,13 @@
*/
if (is_neverallow) {
if (!m->regex.compiled) {
- rc = compile_regex(m, &errbuf, &erroff);
+ rc = compile_regex(m, &errcode, &erroff);
if (!rc) {
- log_error("Invalid regex on line %d : %s PCRE error: %s at offset %d",
- lineno, value, errbuf, erroff);
+ pcre2_get_error_message(errcode,
+ (PCRE2_UCHAR*) errstr,
+ sizeof(errstr));
+ log_error("Invalid regex on line %d : %s PCRE error: %s at offset %lu",
+ lineno, value, errstr, erroff);
}
}
goto out;
@@ -572,11 +601,11 @@
free(m->data);
if (m->regex.compiled) {
- pcre_free(m->regex.compiled);
+ pcre2_code_free(m->regex.compiled);
}
- if (m->regex.extra) {
- pcre_free_study(m->regex.extra);
+ if (m->regex.match_data) {
+ pcre2_match_data_free(m->regex.match_data);
}
}
@@ -884,8 +913,7 @@
}
if (sepol_policydb_read(pol.db, pol.pf) < 0) {
- log_error("Could not lod policy file to db: %s!\n",
- strerror(errno));
+ log_error("Could not load policy file to db: invalid input file!\n");
exit(EXIT_FAILURE);
}
}
@@ -974,6 +1002,7 @@
list *list_to_addto;
e.key = rm->key;
+ e.data = NULL;
log_info("Searching for key: %s\n", e.key);
/* Check to see if it has already been added*/
diff --git a/tools/checkfc.c b/tools/checkfc.c
index e7d19b0..9cbd912 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -15,12 +15,16 @@
static const char * const CHECK_FC_ASSERT_ATTRS[] = { "fs_type", "dev_type", "file_type", NULL };
static const char * const CHECK_PC_ASSERT_ATTRS[] = { "property_type", NULL };
static const char * const CHECK_SC_ASSERT_ATTRS[] = { "service_manager_type", NULL };
+static const char * const CHECK_HW_SC_ASSERT_ATTRS[] = { "hwservice_manager_type", NULL };
+static const char * const CHECK_VND_SC_ASSERT_ATTRS[] = { "vndservice_manager_type", NULL };
typedef enum filemode filemode;
enum filemode {
filemode_file_contexts = 0,
filemode_property_contexts,
- filemode_service_contexts
+ filemode_service_contexts,
+ filemode_hw_service_contexts,
+ filemode_vendor_service_contexts
};
static struct {
@@ -55,6 +59,10 @@
return CHECK_PC_ASSERT_ATTRS;
case filemode_service_contexts:
return CHECK_SC_ASSERT_ATTRS;
+ case filemode_hw_service_contexts:
+ return CHECK_HW_SC_ASSERT_ATTRS;
+ case filemode_vendor_service_contexts:
+ return CHECK_VND_SC_ASSERT_ATTRS;
}
/* die on invalid parameters */
fprintf(stderr, "Error: Invalid mode of operation: %d\n", mode);
@@ -185,10 +193,13 @@
}
static void usage(char *name) {
- fprintf(stderr, "usage1: %s [-p|-s] [-e] sepolicy context_file\n\n"
+ fprintf(stderr, "usage1: %s [-l|-p|-s|-v] [-e] sepolicy context_file\n\n"
"Parses a context file and checks for syntax errors.\n"
- "The context_file is assumed to be a file_contexts file\n"
- "unless the -p or -s option is used to indicate the property or service backend respectively.\n"
+ "If -p is specified, the property backend is used.\n"
+ "If -s is specified, the service backend is used to verify binder services.\n"
+ "If -l is specified, the service backend is used to verify hwbinder services.\n"
+ "If -v is specified, the service backend is used to verify vndbinder services.\n"
+ "Otherwise, context_file is assumed to be a file_contexts file\n"
"If -e is specified, then the context_file is allowed to be empty.\n\n"
"usage2: %s -c file_contexts1 file_contexts2\n\n"
@@ -332,7 +343,7 @@
filemode mode = filemode_file_contexts;
- while ((c = getopt(argc, argv, "cpse")) != -1) {
+ while ((c = getopt(argc, argv, "clpsve")) != -1) {
switch (c) {
case 'c':
compare = true;
@@ -346,7 +357,15 @@
break;
case 's':
mode = filemode_service_contexts;
- backend = SELABEL_CTX_ANDROID_PROP;
+ backend = SELABEL_CTX_ANDROID_SERVICE;
+ break;
+ case 'l':
+ mode = filemode_hw_service_contexts;
+ backend = SELABEL_CTX_ANDROID_SERVICE;
+ break;
+ case 'v':
+ mode = filemode_vendor_service_contexts;
+ backend = SELABEL_CTX_ANDROID_SERVICE;
break;
case 'h':
default:
diff --git a/tools/fc_sort/fc_sort.c b/tools/fc_sort/fc_sort.c
index f4d2cd0..5561288 100644
--- a/tools/fc_sort/fc_sort.c
+++ b/tools/fc_sort/fc_sort.c
@@ -315,7 +315,7 @@
{
int lines;
size_t start, finish, regex_len, context_len;
- size_t line_len, buf_len, i, j;
+ size_t line_len, buf_len, i;
char *input_name, *output_name, *line_buf;
file_context_node_t *temp;
@@ -336,7 +336,7 @@
input_name = argv[1];
output_name = (argc >= 3) ? argv[2] : NULL;
- i = j = lines = 0;
+ lines = 0;
/* Open the input file. */
if (!(in_file = fopen(input_name, "r"))) {
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
index 61f1a26..98f3771 100644
--- a/tools/sepolicy-analyze/Android.mk
+++ b/tools/sepolicy-analyze/Android.mk
@@ -5,7 +5,6 @@
LOCAL_MODULE := sepolicy-analyze
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/selinux/libsepol/include
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
LOCAL_STATIC_LIBRARIES := libsepol
diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README
index d18609a..fdee588 100644
--- a/tools/sepolicy-analyze/README
+++ b/tools/sepolicy-analyze/README
@@ -65,6 +65,10 @@
Displays the types associated with the specified attribute name.
+ sepolicy-analyze out/target/product/<board>/root/sepolicy attribute -r <name>
+
+ Displays the attributes associated with the specified type name.
+
NEVERALLOW CHECKING (neverallow)
sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \
[-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]
diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c
index 474bda2..ae98aa9 100644
--- a/tools/sepolicy-analyze/attribute.c
+++ b/tools/sepolicy-analyze/attribute.c
@@ -1,39 +1,81 @@
+#include <getopt.h>
+
#include "attribute.h"
void attribute_usage() {
- fprintf(stderr, "\tattribute <attribute-name>\n");
+ fprintf(stderr, "\tattribute <name> [-r|--reverse]\n");
}
-static int list_attribute(policydb_t * policydb, char *name)
-{
- struct type_datum *attr;
+static void retrieve_mapping(policydb_t *policydb, struct type_datum *dat, char *name, int reverse) {
struct ebitmap_node *n;
unsigned int bit;
- attr = hashtab_search(policydb->p_types.table, name);
- if (!attr) {
+ if (reverse) {
+ ebitmap_for_each_bit(&policydb->type_attr_map[dat->s.value - 1], n, bit) {
+ if (!ebitmap_node_get_bit(n, bit))
+ continue;
+ if (!strcmp(policydb->p_type_val_to_name[bit], name))
+ continue;
+ printf("%s\n", policydb->p_type_val_to_name[bit]);
+ }
+ } else {
+ ebitmap_for_each_bit(&policydb->attr_type_map[dat->s.value - 1], n, bit) {
+ if (!ebitmap_node_get_bit(n, bit))
+ continue;
+ printf("%s\n", policydb->p_type_val_to_name[bit]);
+ }
+ }
+}
+
+static int list_attribute(policydb_t *policydb, char *name, int reverse)
+{
+ struct type_datum *dat;
+
+ dat = hashtab_search(policydb->p_types.table, name);
+ if (!dat) {
fprintf(stderr, "%s is not defined in this policy.\n", name);
return -1;
}
- if (attr->flavor != TYPE_ATTRIB) {
- fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
- return -1;
+ if (reverse) {
+ if (dat->flavor != TYPE_TYPE) {
+ fprintf(stderr, "%s is an attribute not a type in this policy.\n", name);
+ return -1;
+ }
+ } else {
+ if (dat->flavor != TYPE_ATTRIB) {
+ fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
+ return -1;
+ }
}
-
- ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) {
- if (!ebitmap_node_get_bit(n, bit))
- continue;
- printf("%s\n", policydb->p_type_val_to_name[bit]);
- }
+ retrieve_mapping(policydb, dat, name, reverse);
return 0;
}
int attribute_func (int argc, char **argv, policydb_t *policydb) {
- if (argc != 2) {
+ int reverse = 0;
+ char ch;
+
+ struct option attribute_options[] = {
+ {"reverse", no_argument, NULL, 'r'},
+ {NULL, 0, NULL, 0}
+ };
+
+ while ((ch = getopt_long(argc, argv, "r", attribute_options, NULL)) != -1) {
+ switch (ch) {
+ case 'r':
+ reverse = 1;
+ break;
+ default:
+ USAGE_ERROR = true;
+ return -1;
+ }
+ }
+
+ if (argc != 2 && !(reverse && argc == 3)) {
USAGE_ERROR = true;
return -1;
}
- return list_attribute(policydb, argv[1]);
+ return list_attribute(policydb, argv[optind], reverse);
}
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index b288ea7..26ce144 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -173,9 +173,6 @@
}
}
- if (warn && ebitmap_length(&typeset->types) == 0 && !(*flags))
- fprintf(stderr, "Warning! Empty type set\n");
-
*ptr = p;
return 0;
err:
diff --git a/tools/version_policy.c b/tools/version_policy.c
new file mode 100644
index 0000000..24b2a3c
--- /dev/null
+++ b/tools/version_policy.c
@@ -0,0 +1,192 @@
+/*
+ * version_policy.c - Takes the given public platform policy, a private policy
+ * and a version number to produced a combined "versioned" policy file.
+ */
+#include <errno.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <sys/stat.h>
+#include <cil/android.h>
+#include <cil/cil.h>
+#include <cil/cil_write_ast.h>
+
+void __attribute__ ((noreturn)) static usage(char *prog) {
+ printf("Usage: %s [OPTION]...\n", prog);
+ printf("\n");
+ printf("Options:\n");
+ printf(" -b, --base=<file> (req'd) base policy for versioning.\n");
+ printf(" -m, --mapping generate cil version mapping from base policy\n");
+ printf(" -n, --number (req'd) version number to use.\n");
+ printf(" -o, --output=<file> write cil policy to <file>\n");
+ printf(" -t, --tgt_policy policy to be versioned according to base policy\n");
+ printf(" -h, --help display usage information\n");
+ exit(1);
+}
+
+/*
+ * read_cil_file - Initialize db and parse CIL input file.
+ */
+static int read_cil_file(struct cil_db **db, char *path) {
+ int rc = SEPOL_ERR;
+ FILE *file;
+ struct stat filedata;
+ uint32_t file_size;
+ char *buff = NULL;
+
+ cil_db_init(db);
+ file = fopen(path, "re");
+ if (!file) {
+ fprintf(stderr, "Could not open file: %s\n", path);
+ goto file_err;
+ }
+ rc = stat(path, &filedata);
+ if (rc == -1) {
+ fprintf(stderr, "Could not stat file: %s - %s\n", path, strerror(errno));
+ goto err;
+ }
+ file_size = filedata.st_size;
+ buff = malloc(file_size);
+ if (buff == NULL) {
+ fprintf(stderr, "OOM!\n");
+ rc = SEPOL_ERR;
+ goto err;
+ }
+ rc = fread(buff, file_size, 1, file);
+ if (rc != 1) {
+ fprintf(stderr, "Failure reading file: %s\n", path);
+ rc = SEPOL_ERR;
+ goto err;
+ }
+ fclose(file);
+ file = NULL;
+
+ /* creates parse_tree */
+ rc = cil_add_file(*db, path, buff, file_size);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failure adding %s to parse tree\n", path);
+ goto err;
+ }
+ free(buff);
+
+ return SEPOL_OK;
+err:
+ free(buff);
+ fclose(file);
+file_err:
+ cil_db_destroy(db);
+ return rc;
+}
+
+int main(int argc, char *argv[])
+{
+ int opt_char;
+ int opt_index = 0;
+ int rc = SEPOL_ERR;
+ bool mapping = false;
+ char *base = NULL;
+ char *tgt_policy = NULL;
+ char *num = NULL;
+ char *dot;
+ char *output = NULL;
+ struct cil_db *base_db = NULL;
+ struct cil_db *out_db = NULL;
+
+ static struct option long_opts[] = {
+ {"help", no_argument, 0, 'h'},
+ {"base", required_argument, 0, 'b'},
+ {"mapping", no_argument, 0, 'm'},
+ {"number", required_argument, 0, 'n'},
+ {"output", required_argument, 0, 'o'},
+ {"tgt_policy", required_argument, 0, 't'},
+ {0, 0, 0, 0}
+ };
+
+ while (1) {
+ opt_char = getopt_long(argc, argv, "b:mn:o:t:h", long_opts, &opt_index);
+ if (opt_char == -1) {
+ break;
+ }
+ switch (opt_char) {
+ case 'b':
+ base = strdup(optarg);
+ break;
+ case 'm':
+ mapping = true;
+ break;
+ case 'n':
+ num = strdup(optarg);
+ break;
+ case 'o':
+ output = strdup(optarg);
+ break;
+ case 't':
+ tgt_policy = strdup(optarg);
+ break;
+ case 'h':
+ usage(argv[0]);
+ default:
+ fprintf(stderr, "Unsupported option: %s\n", optarg);
+ usage(argv[0]);
+ }
+ }
+ if (optind < argc) {
+ fprintf(stderr, "Unknown arguments supplied\n");
+ usage(argv[0]);
+ }
+ if (num == NULL || base == NULL || (mapping == false && tgt_policy == NULL)) {
+ fprintf(stderr, "Please specify required arguments\n");
+ usage(argv[0]);
+ }
+
+ /* policy language doesn't like '.', so replace them with '_' in mapping version */
+ dot = num;
+ while ((dot = strchr(dot, '.')) != NULL) {
+ *dot = '_';
+ ++dot;
+ }
+
+ if (mapping && tgt_policy) {
+ fprintf(stderr, "Please select only one mode between --mapping and --tgt_policy\n");
+ usage(argv[0]);
+ }
+
+ /* gimme all the details */
+ cil_set_log_level(CIL_INFO);
+
+ /* read platform policy */
+ rc = read_cil_file(&base_db, base);
+ if (rc != SEPOL_OK) {
+ goto exit;
+ }
+
+ if (mapping) {
+ rc = cil_android_attrib_mapping(&out_db, base_db, num);
+ if (rc != SEPOL_OK)
+ goto exit;
+ } else {
+ /* read target policy, ready for manipulation */
+ rc = read_cil_file(&out_db, tgt_policy);
+ if (rc != SEPOL_OK) {
+ goto exit;
+ }
+ /* attributize the target policy */
+ rc = cil_android_attributize(out_db, base_db, num);
+ if (rc != SEPOL_OK) {
+ goto exit;
+ }
+ }
+ rc = cil_write_ast(out_db, output);
+ if (rc != SEPOL_OK) {
+ goto exit;
+ }
+
+exit:
+ free(base);
+ free(tgt_policy);
+ free(num);
+ free(output);
+ cil_db_destroy(&base_db);
+ cil_db_destroy(&out_db);
+ return rc;
+}
diff --git a/tools/whitespace.sh b/tools/whitespace.sh
new file mode 100755
index 0000000..5fb4a2f
--- /dev/null
+++ b/tools/whitespace.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+RESULT=0
+
+for i in "$@"; do
+ a="`tail -c 1 "$i"`"
+ if [ "$a" != "" ]; then
+ echo "$i does not have a trailing newline" 1>&2
+ RESULT=-1
+ fi
+done
+
+exit $RESULT
diff --git a/ueventd.te b/ueventd.te
deleted file mode 100644
index 9a24357..0000000
--- a/ueventd.te
+++ /dev/null
@@ -1,44 +0,0 @@
-# ueventd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type ueventd, domain, domain_deprecated;
-tmpfs_domain(ueventd)
-
-# TODO: why is ueventd using __kmsg__ when it should just create
-# and use /dev/kmsg instead?
-type_transition ueventd device:chr_file klog_device "__kmsg__";
-allow ueventd klog_device:chr_file { create open write unlink };
-
-security_access_policy(ueventd)
-allow ueventd init:process sigchld;
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
-allow ueventd device:file create_file_perms;
-allow ueventd device:chr_file rw_file_perms;
-allow ueventd sysfs:file rw_file_perms;
-allow ueventd sysfs_usb:file w_file_perms;
-allow ueventd sysfs_hwrandom:file w_file_perms;
-allow ueventd sysfs_zram_uevent:file w_file_perms;
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
-allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-#####
-##### neverallow rules
-#####
-
-# ueventd must never set properties, otherwise deadlocks may occur.
-# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
-# No writing to the property socket, connecting to init, or setting properties.
-neverallow ueventd property_socket:sock_file write;
-neverallow ueventd init:unix_stream_socket connectto;
-neverallow ueventd property_type:property_service set;
diff --git a/untrusted_app.te b/untrusted_app.te
deleted file mode 100644
index 35c811c..0000000
--- a/untrusted_app.te
+++ /dev/null
@@ -1,208 +0,0 @@
-###
-### Untrusted apps.
-###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-### untrusted_app includes all the appdomain rules, plus the
-### additional following rules:
-###
-
-type untrusted_app, domain;
-app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app app_data_file:file { rx_file_perms execmod };
-
-# ASEC
-allow untrusted_app asec_apk_file:file r_file_perms;
-allow untrusted_app asec_apk_file:dir r_dir_perms;
-# Execute libs in asec containers.
-allow untrusted_app asec_public_file:file { execute execmod };
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-# TODO: Long term, we don't want apps probing into shell data files.
-# Figure out a way to remove these rules.
-allow untrusted_app shell_data_file:file r_file_perms;
-allow untrusted_app shell_data_file:dir r_dir_perms;
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_app system_app_data_file:file { read write getattr };
-
-#
-# Rules migrated from old app domains coalesced into untrusted_app.
-# This includes what used to be media_app, shared_app, and release_app.
-#
-
-# Access to /data/media.
-allow untrusted_app media_rw_data_file:dir create_dir_perms;
-allow untrusted_app media_rw_data_file:file create_file_perms;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app mnt_media_rw_file:dir search;
-
-# allow cts to query all services
-allow untrusted_app servicemanager:service_manager list;
-
-allow untrusted_app audioserver_service:service_manager find;
-allow untrusted_app cameraserver_service:service_manager find;
-allow untrusted_app drmserver_service:service_manager find;
-allow untrusted_app mediaserver_service:service_manager find;
-allow untrusted_app mediaextractor_service:service_manager find;
-allow untrusted_app mediacodec_service:service_manager find;
-allow untrusted_app mediadrmserver_service:service_manager find;
-allow untrusted_app nfc_service:service_manager find;
-allow untrusted_app radio_service:service_manager find;
-allow untrusted_app surfaceflinger_service:service_manager find;
-allow untrusted_app app_api_service:service_manager find;
-
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
- allow untrusted_app perfprofd_data_file:file r_file_perms;
- allow untrusted_app perfprofd_data_file:dir r_dir_perms;
-')
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_app self:process ptrace;
-
-# Programs routinely attempt to scan through /system, looking
-# for files. Suppress the denials when they occur.
-dontaudit untrusted_app exec_type:file getattr;
-
-# TODO: switch to meminfo service
-allow untrusted_app proc_meminfo:file r_file_perms;
-
-# https://code.google.com/p/chromium/issues/detail?id=586021
-allow untrusted_app proc:file r_file_perms;
-# access /proc/net/xt_qtguid/stats
-r_dir_file(untrusted_app, proc_net)
-
-# Cts: HwRngTest
-allow untrusted_app sysfs_hwrandom:dir search;
-allow untrusted_app sysfs_hwrandom:file r_file_perms;
-
-# Allow apps to view preloaded content
-allow untrusted_app preloads_data_file:dir r_dir_perms;
-allow untrusted_app preloads_data_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow untrusted_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow untrusted_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow untrusted_app debugfs_type:file read;
-
-# Do not allow untrusted apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow untrusted_app service_manager_type:service_manager add;
-
-# Do not allow untrusted_apps to connect to the property service
-# or set properties. b/10243159
-neverallow untrusted_app property_socket:sock_file write;
-neverallow untrusted_app init:unix_stream_socket connectto;
-neverallow untrusted_app property_type:property_service set;
-
-# Do not allow untrusted_app to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and untrusted_app is allowed fork permission to itself.
-neverallow untrusted_app mlstrustedsubject:process fork;
-
-# Do not allow untrusted_app to hard link to any files.
-# In particular, if untrusted_app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure untrusted_app never has this
-# capability.
-neverallow untrusted_app file_type:file link;
-
-# Do not allow untrusted_app to access network MAC address file
-neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
-
-# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
-# ioctl permission, or 3. disallow the socket class.
-neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
-neverallow untrusted_app *:{
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
-} *;
-
-# Do not allow untrusted_app access to /cache
-neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
-
-# Do not allow untrusted_app to set system properties.
-neverallow untrusted_app property_socket:sock_file write;
-neverallow untrusted_app property_type:property_service set;
-
-# Do not allow untrusted_app to create/unlink files outside of its sandbox,
-# internal storage or sdcard.
-# World accessible data locations allow application to fill the device
-# with unaccounted for data. This data will not get removed during
-# application un-installation.
-neverallow untrusted_app {
- fs_type
- -fuse # sdcard
- -sdcardfs # sdcard
- -vfat
- file_type
- -app_data_file # The apps sandbox itself
- -media_rw_data_file # Internal storage. Known that apps can
- # leave artfacts here after uninstall.
- -user_profile_data_file # Access to profile files
- -user_profile_foreign_dex_data_file # Access to profile files
- userdebug_or_eng(`
- -method_trace_data_file # only on ro.debuggable=1
- -coredump_file # userdebug/eng only
- ')
-}:dir_file_class_set { create unlink };
-
-# Do not allow untrusted_app to directly open tun_device
-neverallow untrusted_app tun_device:chr_file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-neverallow untrusted_app anr_data_file:file ~{ open append };
-neverallow untrusted_app anr_data_file:dir ~search;
diff --git a/update_verifier.te b/update_verifier.te
deleted file mode 100644
index 09d5fc4..0000000
--- a/update_verifier.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# update_verifier
-# update_verifier uses the boot_control_hal.
-type update_verifier, domain, boot_control_hal;
-type update_verifier_exec, exec_type, file_type;
-
-init_daemon_domain(update_verifier)
-
-# Allow update_verifier to reach block devices in /dev/block.
-allow update_verifier block_device:dir search;
-
-# Read care map in /data/ota_package/.
-allow update_verifier ota_package_file:dir r_dir_perms;
-allow update_verifier ota_package_file:file r_file_perms;
-
-# Read all blocks in system partition.
-allow update_verifier system_block_device:blk_file r_file_perms;
-
diff --git a/vendor/file.te b/vendor/file.te
new file mode 100644
index 0000000..aeafb4a
--- /dev/null
+++ b/vendor/file.te
@@ -0,0 +1,2 @@
+# Socket types
+type hostapd_socket, file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
new file mode 100644
index 0000000..e7a371a
--- /dev/null
+++ b/vendor/file_contexts
@@ -0,0 +1,49 @@
+#############################
+# Default HALs
+#
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
+/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
+
+#############################
+# Same process HALs installed by platform into /vendor
+#
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
+
+#############################
+# Data files
+#
+/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
new file mode 100644
index 0000000..0dc2170
--- /dev/null
+++ b/vendor/hal_audio_default.te
@@ -0,0 +1,8 @@
+type hal_audio_default, domain;
+hal_server_domain(hal_audio_default, hal_audio)
+
+type hal_audio_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_audio_default)
+
+hal_client_domain(hal_audio_default, hal_allocator)
+
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
new file mode 100644
index 0000000..01d60db
--- /dev/null
+++ b/vendor/hal_bluetooth_default.te
@@ -0,0 +1,5 @@
+type hal_bluetooth_default, domain;
+hal_server_domain(hal_bluetooth_default, hal_bluetooth)
+
+type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_bluetooth_default)
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
new file mode 100644
index 0000000..ca30e58
--- /dev/null
+++ b/vendor/hal_bootctl_default.te
@@ -0,0 +1,6 @@
+# Boot control subsystem
+type hal_bootctl_default, domain;
+hal_server_domain(hal_bootctl_default, hal_bootctl)
+
+type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_bootctl_default)
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
new file mode 100644
index 0000000..239e5c1
--- /dev/null
+++ b/vendor/hal_camera_default.te
@@ -0,0 +1,7 @@
+type hal_camera_default, domain;
+hal_server_domain(hal_camera_default, hal_camera)
+
+type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_camera_default)
+
+allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
diff --git a/vendor/hal_configstore_default.te b/vendor/hal_configstore_default.te
new file mode 100644
index 0000000..cc61a16
--- /dev/null
+++ b/vendor/hal_configstore_default.te
@@ -0,0 +1,5 @@
+type hal_configstore_default, domain;
+hal_server_domain(hal_configstore_default, hal_configstore)
+
+type hal_configstore_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_configstore_default)
diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te
new file mode 100644
index 0000000..b29808d
--- /dev/null
+++ b/vendor/hal_contexthub_default.te
@@ -0,0 +1,5 @@
+type hal_contexthub_default, domain;
+hal_server_domain(hal_contexthub_default, hal_contexthub)
+
+type hal_contexthub_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_contexthub_default)
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
new file mode 100644
index 0000000..b79c3b5
--- /dev/null
+++ b/vendor/hal_drm_default.te
@@ -0,0 +1,8 @@
+type hal_drm_default, domain;
+hal_server_domain(hal_drm_default, hal_drm)
+
+type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_default)
+
+allow hal_drm_default mediacodec:fd use;
+allow hal_drm_default { appdomain -isolated_app }:fd use;
diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te
new file mode 100644
index 0000000..6fbf40f
--- /dev/null
+++ b/vendor/hal_dumpstate_default.te
@@ -0,0 +1,5 @@
+type hal_dumpstate_default, domain;
+hal_server_domain(hal_dumpstate_default, hal_dumpstate)
+
+type hal_dumpstate_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_dumpstate_default)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
new file mode 100644
index 0000000..638b603
--- /dev/null
+++ b/vendor/hal_fingerprint_default.te
@@ -0,0 +1,5 @@
+type hal_fingerprint_default, domain;
+hal_server_domain(hal_fingerprint_default, hal_fingerprint)
+
+type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fingerprint_default)
diff --git a/vendor/hal_gatekeeper_default.te b/vendor/hal_gatekeeper_default.te
new file mode 100644
index 0000000..a3654cc
--- /dev/null
+++ b/vendor/hal_gatekeeper_default.te
@@ -0,0 +1,5 @@
+type hal_gatekeeper_default, domain;
+hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)
+
+type hal_gatekeeper_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_gatekeeper_default);
diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te
new file mode 100644
index 0000000..4c40617
--- /dev/null
+++ b/vendor/hal_gnss_default.te
@@ -0,0 +1,10 @@
+type hal_gnss_default, domain;
+hal_server_domain(hal_gnss_default, hal_gnss)
+
+type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_gnss_default)
+
+# Read access to system files for HALs in
+# /{system,vendor,odm}/lib[64]/hw/ in order
+# to be able to open the hal implementation .so files
+r_dir_file(hal_gnss, system_file)
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
new file mode 100644
index 0000000..5afa2b5
--- /dev/null
+++ b/vendor/hal_graphics_allocator_default.te
@@ -0,0 +1,5 @@
+type hal_graphics_allocator_default, domain;
+hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
+
+type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_graphics_allocator_default)
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
new file mode 100644
index 0000000..47343d9
--- /dev/null
+++ b/vendor/hal_graphics_composer_default.te
@@ -0,0 +1,5 @@
+type hal_graphics_composer_default, domain;
+hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
+
+type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_graphics_composer_default)
diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
new file mode 100644
index 0000000..9b2b921
--- /dev/null
+++ b/vendor/hal_health_default.te
@@ -0,0 +1,6 @@
+# health info abstraction
+type hal_health_default, domain;
+hal_server_domain(hal_health_default, hal_health)
+
+type hal_health_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_health_default)
diff --git a/vendor/hal_ir_default.te b/vendor/hal_ir_default.te
new file mode 100644
index 0000000..943aab0
--- /dev/null
+++ b/vendor/hal_ir_default.te
@@ -0,0 +1,5 @@
+type hal_ir_default, domain;
+hal_server_domain(hal_ir_default, hal_ir)
+
+type hal_ir_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_ir_default)
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
new file mode 100644
index 0000000..82a5a20
--- /dev/null
+++ b/vendor/hal_keymaster_default.te
@@ -0,0 +1,5 @@
+type hal_keymaster_default, domain;
+hal_server_domain(hal_keymaster_default, hal_keymaster)
+
+type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_keymaster_default)
diff --git a/vendor/hal_light_default.te b/vendor/hal_light_default.te
new file mode 100644
index 0000000..c7fa9a1
--- /dev/null
+++ b/vendor/hal_light_default.te
@@ -0,0 +1,5 @@
+type hal_light_default, domain;
+hal_server_domain(hal_light_default, hal_light)
+
+type hal_light_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_light_default)
diff --git a/vendor/hal_memtrack_default.te b/vendor/hal_memtrack_default.te
new file mode 100644
index 0000000..c547699
--- /dev/null
+++ b/vendor/hal_memtrack_default.te
@@ -0,0 +1,5 @@
+type hal_memtrack_default, domain;
+hal_server_domain(hal_memtrack_default, hal_memtrack)
+
+type hal_memtrack_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_memtrack_default)
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
new file mode 100644
index 0000000..c13baa7
--- /dev/null
+++ b/vendor/hal_nfc_default.te
@@ -0,0 +1,5 @@
+type hal_nfc_default, domain;
+hal_server_domain(hal_nfc_default, hal_nfc)
+
+type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_nfc_default)
diff --git a/vendor/hal_omx.te b/vendor/hal_omx.te
new file mode 100644
index 0000000..fdb4aca
--- /dev/null
+++ b/vendor/hal_omx.te
@@ -0,0 +1 @@
+init_daemon_domain(mediacodec)
diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te
new file mode 100644
index 0000000..3be4f22
--- /dev/null
+++ b/vendor/hal_power_default.te
@@ -0,0 +1,5 @@
+type hal_power_default, domain;
+hal_server_domain(hal_power_default, hal_power)
+
+type hal_power_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_power_default)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
new file mode 100644
index 0000000..8379c82
--- /dev/null
+++ b/vendor/hal_sensors_default.te
@@ -0,0 +1,7 @@
+type hal_sensors_default, domain;
+hal_server_domain(hal_sensors_default, hal_sensors)
+
+type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_sensors_default)
+
+allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
diff --git a/vendor/hal_thermal_default.te b/vendor/hal_thermal_default.te
new file mode 100644
index 0000000..73b2eff
--- /dev/null
+++ b/vendor/hal_thermal_default.te
@@ -0,0 +1,5 @@
+type hal_thermal_default, domain;
+hal_server_domain(hal_thermal_default, hal_thermal)
+
+type hal_thermal_default_exec, exec_type, vendor_file_type, vendor_file_type, file_type;
+init_daemon_domain(hal_thermal_default)
diff --git a/vendor/hal_tv_cec_default.te b/vendor/hal_tv_cec_default.te
new file mode 100644
index 0000000..080e73b
--- /dev/null
+++ b/vendor/hal_tv_cec_default.te
@@ -0,0 +1,5 @@
+type hal_tv_cec_default, domain;
+hal_server_domain(hal_tv_cec_default, hal_tv_cec)
+
+type hal_tv_cec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_cec_default)
diff --git a/vendor/hal_tv_input_default.te b/vendor/hal_tv_input_default.te
new file mode 100644
index 0000000..12d9743
--- /dev/null
+++ b/vendor/hal_tv_input_default.te
@@ -0,0 +1,6 @@
+type hal_tv_input_default, domain;
+hal_server_domain(hal_tv_input_default, hal_tv_input)
+
+type hal_tv_input_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_input_default)
+
diff --git a/vendor/hal_usb_default.te b/vendor/hal_usb_default.te
new file mode 100644
index 0000000..5642a2a
--- /dev/null
+++ b/vendor/hal_usb_default.te
@@ -0,0 +1,5 @@
+type hal_usb_default, domain;
+hal_server_domain(hal_usb_default, hal_usb)
+
+type hal_usb_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_usb_default)
diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te
new file mode 100644
index 0000000..6c10d8a
--- /dev/null
+++ b/vendor/hal_vibrator_default.te
@@ -0,0 +1,5 @@
+type hal_vibrator_default, domain;
+hal_server_domain(hal_vibrator_default, hal_vibrator)
+
+type hal_vibrator_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_vibrator_default)
diff --git a/vendor/hal_vr_default.te b/vendor/hal_vr_default.te
new file mode 100644
index 0000000..6a60192
--- /dev/null
+++ b/vendor/hal_vr_default.te
@@ -0,0 +1,5 @@
+type hal_vr_default, domain;
+hal_server_domain(hal_vr_default, hal_vr)
+
+type hal_vr_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_vr_default)
diff --git a/vendor/hal_wifi_default.te b/vendor/hal_wifi_default.te
new file mode 100644
index 0000000..75a9842
--- /dev/null
+++ b/vendor/hal_wifi_default.te
@@ -0,0 +1,5 @@
+type hal_wifi_default, domain;
+hal_server_domain(hal_wifi_default, hal_wifi)
+
+type hal_wifi_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_default)
diff --git a/vendor/hal_wifi_offload_default.te b/vendor/hal_wifi_offload_default.te
new file mode 100644
index 0000000..44bd306
--- /dev/null
+++ b/vendor/hal_wifi_offload_default.te
@@ -0,0 +1,5 @@
+type hal_wifi_offload_default, domain;
+hal_server_domain(hal_wifi_offload_default, hal_wifi_offload)
+
+type hal_wifi_offload_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_offload_default)
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
new file mode 100644
index 0000000..8d7069c
--- /dev/null
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -0,0 +1,14 @@
+# wpa supplicant or equivalent
+type hal_wifi_supplicant_default, domain;
+hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
+type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_supplicant_default)
+
+net_domain(hal_wifi_supplicant_default)
+# Create a socket for receiving info from wpa
+type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
+
+# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
+hwbinder_use(hal_wifi_supplicant_default)
+allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
+binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
new file mode 100644
index 0000000..2c62cf0
--- /dev/null
+++ b/vendor/hostapd.te
@@ -0,0 +1,33 @@
+# userspace wifi access points
+type hostapd, domain;
+type hostapd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hostapd)
+
+net_domain(hostapd)
+allow hostapd self:capability { net_admin net_raw };
+
+# hostapd learns about its network interface via sysfs.
+allow hostapd sysfs:file r_file_perms;
+# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
+allow hostapd sysfs:lnk_file r_file_perms;
+
+# Allow hostapd to access /proc/net/psched
+allow hostapd proc_net:file { getattr open read };
+
+# Various socket permissions.
+allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
+allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
+allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hostapd self:packet_socket create_socket_perms_no_ioctl;
+allow hostapd self:netlink_route_socket nlmsg_write;
+
+# hostapd can read and write WiFi related data and configuration.
+# For example, the entropy file is periodically updated.
+allow hostapd wifi_data_file:file rw_file_perms;
+r_dir_file(hostapd, wifi_data_file)
+
+# hostapd wants to create the directory holding its control socket.
+allow hostapd hostapd_socket:dir create_dir_perms;
+# hostapd needs to create, bind to, read, and write its control socket.
+allow hostapd hostapd_socket:sock_file create_file_perms;
diff --git a/vendor/rild.te b/vendor/rild.te
new file mode 100644
index 0000000..ea9109b
--- /dev/null
+++ b/vendor/rild.te
@@ -0,0 +1,8 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+type rild_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(rild)
+
+# TODO(b/36613472), TODO(b/36718031): Remove this once rild no longer
+# communicates with non-vendor components over sockets.
+typeattribute rild socket_between_core_and_vendor_violators;
diff --git a/vendor/tee.te b/vendor/tee.te
new file mode 100644
index 0000000..348d715
--- /dev/null
+++ b/vendor/tee.te
@@ -0,0 +1,17 @@
+##
+# trusted execution environment (tee) daemon
+#
+type tee_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(tee)
+
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file rw_file_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:file create_file_perms;
+allow tee self:netlink_socket create_socket_perms_no_ioctl;
+allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow tee ion_device:chr_file r_file_perms;
+r_dir_file(tee, sysfs_type)
+
+allow tee system_data_file:file { getattr read };
+allow tee system_data_file:lnk_file r_file_perms;
diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts
new file mode 100644
index 0000000..4cca2fb
--- /dev/null
+++ b/vendor/vndservice_contexts
@@ -0,0 +1 @@
+* u:object_r:default_android_vndservice:s0
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
new file mode 100644
index 0000000..f956af8
--- /dev/null
+++ b/vendor/vndservicemanager.te
@@ -0,0 +1,17 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -coredomain -init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Read vndservice_contexts
+allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)
diff --git a/wpa.te b/wpa.te
deleted file mode 100644
index 46d975b..0000000
--- a/wpa.te
+++ /dev/null
@@ -1,48 +0,0 @@
-# wpa - wpa supplicant or equivalent
-type wpa, domain, domain_deprecated;
-type wpa_exec, exec_type, file_type;
-
-init_daemon_domain(wpa)
-
-net_domain(wpa)
-
-allow wpa kernel:system module_request;
-allow wpa self:capability { setuid net_admin setgid net_raw };
-allow wpa cgroup:dir create_dir_perms;
-allow wpa self:netlink_route_socket nlmsg_write;
-allow wpa self:netlink_socket create_socket_perms;
-allow wpa self:netlink_generic_socket create_socket_perms;
-allow wpa self:packet_socket create_socket_perms;
-allow wpa wifi_data_file:dir create_dir_perms;
-allow wpa wifi_data_file:file create_file_perms;
-unix_socket_send(wpa, system_wpa, system_server)
-
-binder_use(wpa)
-
-# Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:dir wpa_socket "sockets";
-allow wpa wpa_socket:dir create_dir_perms;
-allow wpa wpa_socket:sock_file create_file_perms;
-
-use_keystore(wpa)
-
-# WPA (wifi) has a restricted set of permissions from the default.
-allow wpa keystore:keystore_key {
- get
- sign
- verify
-};
-
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which wpa supplicant communicates with.
-userdebug_or_eng(`
- unix_socket_send(wpa, wpa, su)
-')
-
-###
-### neverallow rules
-###
-
-# wpa_supplicant should not trust any data from sdcards
-neverallow wpa sdcard_type:dir ~getattr;
-neverallow wpa sdcard_type:file *;
